[gentoo-user] Re: iptables wiki

[James <wireless@tampabay.rr.com>]

Daniel <danny <at> ilievnet.com> writes:



> > When I go to /etc/init to write my rules into firewall.sh
> > as specified in the aforementioned wiki I automatically get
> > this shoved into the script:
> > 
> > #!/sbin/runscript
> > # Copyright 1999-2006 Gentoo Foundation
> > # Distributed under the terms of the GNU General Public License v2
> > # $Header: $
> > depend() {
> > }
> > start() {
> > }
> > stop() {
> > }
> > restart() {
> > }

> > curiously none of the example talk about this.

> > Is this the correct place to put my script(/etc/init.d/, 
> > which is somewhat similar to the one suggested in the
> > wiki?

> > None of the examples I found googling discuss the details of where to put
> > the script, how to launch it and other such details. Any suggestion
> > are welcome. I have found lots of  example scripts similar to my 3 nic
> > net/lan/dmz setup though.

> > Any suggestions are very welcome.

> > James

> Actually IMHO gentoo has internal mechanism for dealing with iptables rules.

> After you are ready and sure the rules work OK, you do:

> 1) /etc/init.d/iptables save

agreed, but only if I load the rules manually; i.e.
entering the rules via  the command line such as
in D. Robbins doc: 
http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls#Should_I_take_this_tutorial
> This would record your rules in /var/lib/iptables/rules-save as you


> issued the command "iptables-save > /var/lib/iptables/rules-save" ]

This will work if one loads the rules manually at the command line.
Where do I put a scirpt of iptables command, so it is read the
rule sets generated and then saved into /var/lib/iptables/rules-save?



> Then you put iptables in the init sequence so the rules are restored at
> every system start:

Details on were to put the script and how best to 'loaded' into the boot 
sequence via my script, is what is illusive. 

[A]  The best I can figure is
I put a script in /etc/, run it manually at the command line. The
ruleset will then be generated and saved into 
/var/lib/iptables/rules-save. Upon reboot, the /etc/init.d/iptables
script reads the /var/lib/iptables/rules-save file.

After that if I want to modify the rules, I edit my script, run
my script manually, then issue:
"iptables-save > /var/lib/iptables/rules-save" 
and my modifications are in the file that gentoo checks natively.

If I want to then test the rules, without rebooting, I issue:

/etc/init.d/iptables stop
/etc/init.d/iptables start

????
 
> 2) rc-update add iptables default

> This would do "iptablebs-restore < /var/lib/iptables/rules-save" at
> every boot.

yes, understood.

> 3) Additionally you can set some parameters in /etc/conf.d/iptables
understood.


What I'm looking for is the series of steps to 
1. Where best to locate my script?
2. Insert (new) commands into the script.
3. convert new scrited commands into rulesets 
4. Load rulesets into the /var/lib/iptables/rules-save
5.  Restart the iptables/netfilter firewall
6. Test the (new) rulesset
7. Go to step 2 and repeat until a wonderful firewall results.

If what I work above [A] is correct then I just need some suggestions
as to where the scipt should be located under /etc/, for 
consistentcy with gentoo mindsets.

If what I have written is incorrect, please correct with some detail?

PS: I'm not trying to be a pain, I just need to fully understand the
process on Gentoo.


James






-- 
gentoo-user@gentoo.org mailing list