Re: Iptables not saving...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/24/06, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
> Be advised that top posting, and using HTML, is a sure-fire way to avoid
> getting help on a mailing list.  There may well be someone out there who
> might have the answer to all your woes, but dumps any messages posted
> that way.
>
>
>
>
> On Sun, 2006-04-23 at 09:34 -0400, Devon Harding wrote:
> > The reason I want the chains saved, is because I'm uning sshdblackd
> > (http://www.sshblack.com) to block failed ssh attempts on my box
>
> Considering this snippet from the website (below), I'm not sure that
> saving the tables is a necessary step, nor perhaps even a good one.
>
> "The blacklist is simply a list of source IP addresses that are
> prohibited from making ssh connections to the protected host. Once a
> predetermined amount of time has passed, the offending IP address is
> removed from the blacklist."
>
> > Here is everything that I did manually...
> >
> > [root@mars ~]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> > ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
> > ACCEPT     all  --  anywhere             anywhere
> > BLACKLIST  tcp  --  anywhere             anywhere            tcp dpt:ssh
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain BLACKLIST (1 references)
> > target     prot opt source               destination
> > DROP       all  --  uo82.internetdsl.tpnet.pl  anywhere
>
> If you're trying to keep a tight rein on SSH, I'd expect you to only
> allow it through a range of predetermined IPs, even if you are taking
> this approach of automatically blackbanning some IPs.
>
>
> > [root@mars ~]# cat /etc/cron.hourly/iptables.cron
> > #!/bin/sh
> > /sbin/iptables-save >/dev/null 2>&1
>
> As you should see from your next sample output, iptables-save dumps to
> standard out.  You want to direct its output to where iptables normally
> keeps its rules, otherwise you'll be "saving" nothing.
>
> If FC5 still uses the same place as FC4, I think you'll want to use the
> iptables-save command more like how I mentioned it near the bottom of my
> prior posting.
>
> e.g. #!/bin/sh
>      /sbin/iptables-save > /etc/sysconfig/iptables
>
> Though, I think you could avoid having to do that just by having
> iptables save its configuration at shutdown.  At next bootup, it'll pick
> up from there, without needing a regular save.
>
> > [root@mars ~]# /sbin/iptables-save
> > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:24:51 2006
> > *filter
> > :INPUT ACCEPT [19025:2595521]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [691823:184550717]
> > :BLACKLIST - [0:0]
> > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
> > -A BLACKLIST -s 80.55.144.82 -j DROP
> > COMMIT
> > # Completed on Sun Apr 23 09:24:51 2006
>
> *Showing* you what it *would* save.  You have to direct its output to a
> file to really save it.
>
> > [root@mars ~]# cat /etc/sysconfig/iptables
> > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:01:15 2006
> > *filter
> > :INPUT ACCEPT [18650:2543690]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [690115:184341112]
> > :BLACKLIST - [0:0]
> > [664430:180357913] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > [3365:200808] -A INPUT -i lo -j ACCEPT
> > [6:360] -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
> > [3:180] -A BLACKLIST -s 80.55.144.82 -j DROP
> > COMMIT
> > # Completed on Sun Apr 23 09:01:15 2006
>
> At this point you should notice that the saved configuration is not the
> same as your example above it.  The saved configuration is something
> that was saved beforehand.
>
> But here (below) you're striking another problem:
>
> > [root@mars ~]# reboot
> >
> > Last login: Sun Apr 23 09:20:19 2006 from pluto.domain.com
> > [root@mars ~]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
>
> Are you running more than one firewall program?  Some can fight with
> each other.
>
> It might be worth trying turning that IPTABLES_SAVE_ON_RESTART="yes"
> back to "no", in case there's fault where a "start" gets treated the
> same as a "restart", and saves empty tables.
>
> --
> (Currently running FC4, occasionally trying FC5.)
>
> Don't send private replies to my address, the mailbox is ignored.
> I read messages from the public lists.
>
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

I tried setting the script as described above & change the
/etc/sysconfig/iptables-config, but still get the same results on
reboot:

[root@mars ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux