On 4/24/06, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: > Be advised that top posting, and using HTML, is a sure-fire way to avoid > getting help on a mailing list. There may well be someone out there who > might have the answer to all your woes, but dumps any messages posted > that way. > > > > > On Sun, 2006-04-23 at 09:34 -0400, Devon Harding wrote: > > The reason I want the chains saved, is because I'm uning sshdblackd > > (http://www.sshblack.com) to block failed ssh attempts on my box > > Considering this snippet from the website (below), I'm not sure that > saving the tables is a necessary step, nor perhaps even a good one. > > "The blacklist is simply a list of source IP addresses that are > prohibited from making ssh connections to the protected host. Once a > predetermined amount of time has passed, the offending IP address is > removed from the blacklist." > > > Here is everything that I did manually... > > > > [root@mars ~]# iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > BLACKLIST tcp -- anywhere anywhere tcp dpt:ssh > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain BLACKLIST (1 references) > > target prot opt source destination > > DROP all -- uo82.internetdsl.tpnet.pl anywhere > > If you're trying to keep a tight rein on SSH, I'd expect you to only > allow it through a range of predetermined IPs, even if you are taking > this approach of automatically blackbanning some IPs. > > > > [root@mars ~]# cat /etc/cron.hourly/iptables.cron > > #!/bin/sh > > /sbin/iptables-save >/dev/null 2>&1 > > As you should see from your next sample output, iptables-save dumps to > standard out. You want to direct its output to where iptables normally > keeps its rules, otherwise you'll be "saving" nothing. > > If FC5 still uses the same place as FC4, I think you'll want to use the > iptables-save command more like how I mentioned it near the bottom of my > prior posting. > > e.g. #!/bin/sh > /sbin/iptables-save > /etc/sysconfig/iptables > > Though, I think you could avoid having to do that just by having > iptables save its configuration at shutdown. At next bootup, it'll pick > up from there, without needing a regular save. > > > [root@mars ~]# /sbin/iptables-save > > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:24:51 2006 > > *filter > > :INPUT ACCEPT [19025:2595521] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [691823:184550717] > > :BLACKLIST - [0:0] > > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -i lo -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST > > -A BLACKLIST -s 80.55.144.82 -j DROP > > COMMIT > > # Completed on Sun Apr 23 09:24:51 2006 > > *Showing* you what it *would* save. You have to direct its output to a > file to really save it. > > > [root@mars ~]# cat /etc/sysconfig/iptables > > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:01:15 2006 > > *filter > > :INPUT ACCEPT [18650:2543690] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [690115:184341112] > > :BLACKLIST - [0:0] > > [664430:180357913] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > [3365:200808] -A INPUT -i lo -j ACCEPT > > [6:360] -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST > > [3:180] -A BLACKLIST -s 80.55.144.82 -j DROP > > COMMIT > > # Completed on Sun Apr 23 09:01:15 2006 > > At this point you should notice that the saved configuration is not the > same as your example above it. The saved configuration is something > that was saved beforehand. > > But here (below) you're striking another problem: > > > [root@mars ~]# reboot > > > > Last login: Sun Apr 23 09:20:19 2006 from pluto.domain.com > > [root@mars ~]# iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > Are you running more than one firewall program? Some can fight with > each other. > > It might be worth trying turning that IPTABLES_SAVE_ON_RESTART="yes" > back to "no", in case there's fault where a "start" gets treated the > same as a "restart", and saves empty tables. > > -- > (Currently running FC4, occasionally trying FC5.) > > Don't send private replies to my address, the mailbox is ignored. > I read messages from the public lists. > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > I tried setting the script as described above & change the /etc/sysconfig/iptables-config, but still get the same results on reboot: [root@mars ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination