Re: Iptables not saving...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Be advised that top posting, and using HTML, is a sure-fire way to avoid
getting help on a mailing list.  There may well be someone out there who
might have the answer to all your woes, but dumps any messages posted
that way.




On Sun, 2006-04-23 at 09:34 -0400, Devon Harding wrote:
> The reason I want the chains saved, is because I'm uning sshdblackd
> (http://www.sshblack.com) to block failed ssh attempts on my box

Considering this snippet from the website (below), I'm not sure that
saving the tables is a necessary step, nor perhaps even a good one.

"The blacklist is simply a list of source IP addresses that are
prohibited from making ssh connections to the protected host. Once a
predetermined amount of time has passed, the offending IP address is
removed from the blacklist."

> Here is everything that I did manually...
> 
> [root@mars ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
> ACCEPT     all  --  anywhere             anywhere            
> BLACKLIST  tcp  --  anywhere             anywhere            tcp dpt:ssh 
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain BLACKLIST (1 references)
> target     prot opt source               destination         
> DROP       all  --  uo82.internetdsl.tpnet.pl  anywhere        

If you're trying to keep a tight rein on SSH, I'd expect you to only
allow it through a range of predetermined IPs, even if you are taking
this approach of automatically blackbanning some IPs.


> [root@mars ~]# cat /etc/cron.hourly/iptables.cron 
> #!/bin/sh
> /sbin/iptables-save >/dev/null 2>&1

As you should see from your next sample output, iptables-save dumps to
standard out.  You want to direct its output to where iptables normally
keeps its rules, otherwise you'll be "saving" nothing.

If FC5 still uses the same place as FC4, I think you'll want to use the
iptables-save command more like how I mentioned it near the bottom of my
prior posting.

e.g. #!/bin/sh
     /sbin/iptables-save > /etc/sysconfig/iptables

Though, I think you could avoid having to do that just by having
iptables save its configuration at shutdown.  At next bootup, it'll pick
up from there, without needing a regular save.

> [root@mars ~]# /sbin/iptables-save
> # Generated by iptables-save v1.3.5 on Sun Apr 23 09:24:51 2006
> *filter
> :INPUT ACCEPT [19025:2595521]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [691823:184550717]
> :BLACKLIST - [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A INPUT -i lo -j ACCEPT 
> -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST 
> -A BLACKLIST -s 80.55.144.82 -j DROP 
> COMMIT 
> # Completed on Sun Apr 23 09:24:51 2006

*Showing* you what it *would* save.  You have to direct its output to a
file to really save it.

> [root@mars ~]# cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.3.5 on Sun Apr 23 09:01:15 2006
> *filter
> :INPUT ACCEPT [18650:2543690]
> :FORWARD ACCEPT [0:0] 
> :OUTPUT ACCEPT [690115:184341112]
> :BLACKLIST - [0:0]
> [664430:180357913] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> [3365:200808] -A INPUT -i lo -j ACCEPT 
> [6:360] -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST 
> [3:180] -A BLACKLIST -s 80.55.144.82 -j DROP 
> COMMIT
> # Completed on Sun Apr 23 09:01:15 2006

At this point you should notice that the saved configuration is not the
same as your example above it.  The saved configuration is something
that was saved beforehand.

But here (below) you're striking another problem:

> [root@mars ~]# reboot             
>
> Last login: Sun Apr 23 09:20:19 2006 from pluto.domain.com
> [root@mars ~]# iptables -L
> Chain INPUT (policy ACCEPT) 
> target     prot opt source               destination         
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         

Are you running more than one firewall program?  Some can fight with
each other.

It might be worth trying turning that IPTABLES_SAVE_ON_RESTART="yes"
back to "no", in case there's fault where a "start" gets treated the
same as a "restart", and saves empty tables.

-- 
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux