[Previo por Fecha] [Siguiente por Fecha] [Previo por Hilo] [Siguiente por Hilo]
[Hilos de Discusión] [Fecha] [Tema] [Autor]Jose Oviedo - //Cuastecomate wrote:
Hola!, tengo instalado Debian,mi duda es si agrego algo con iptables desde la consola y reinicio la maquina se pierde lo que agrege??, si es asi, en donde puedo poner todo lo que escribi para que se ponga automaticamente las reglas.
Al menos en redhat se guardan en /etc/sysconfig/iptablesya que como comenta anibal se indica en el scrip de arranque del servicio que trae el Red Hat, script que te incluyo por si Debian no lo trae (no conozco muy bien
el Debian tengo uno en la oficina pero en este momento estoy en casa )
============== SCRIPT QUE VIENE EN REDHAT 7.3 ===============
te lo mando adjunto...
"iptables"
que lo tome de
/etc/rc.d/init.d
============================================================
Saludos.
--
Francisco Vázquez
Linux Registred User #319298
_______ Hegel: "La libertad, es el pensamiento mismo, quien rechaza al pensamiento y habla de libertad no sabe lo que dice"
#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero en redhat com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua en redhat com>
# -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21 en cam ac uk>:
# modified by Nils Philippsen <nils en redhat de>
#
# config: /etc/sysconfig/iptables
# Source 'em up
. /etc/init.d/functions
IPTABLES_CONFIG=/etc/sysconfig/iptables
if [ ! -x /sbin/iptables ]; then
exit 0
fi
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi
if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi
iftable() {
if fgrep -qsx $1 /proc/net/ip_tables_names; then
iptables -t "$@"
fi
}
start() {
# don't do squat if we don't have the config file
if [ -f $IPTABLES_CONFIG ]; then
# If we don't clear these first, we might be adding to
# pre-existing rules.
action $"Flushing all current rules and user defined chains:" iptables -F
action $"Clearing all current rules and user defined chains:" iptables -X
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all current rules and user defined chains:" || \
failure $"Flushing all current rules and user defined chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Clearing all current rules and user defined chains:" || \
failure $"Clearing all current rules and user defined chains:"
for i in $chains; do iptables -t $i -Z; done
echo $"Applying iptables firewall rules: "
grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -c && \
success $"Applying iptables firewall rules" || \
failure $"Applying iptables firewall rules"
echo
touch /var/lock/subsys/iptables
fi
}
stop() {
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
echo -n $"Resetting built-in chains to the default ACCEPT policy:"
iftable filter -P INPUT ACCEPT && \
iftable filter -P OUTPUT ACCEPT && \
iftable filter -P FORWARD ACCEPT && \
iftable nat -P PREROUTING ACCEPT && \
iftable nat -P POSTROUTING ACCEPT && \
iftable nat -P OUTPUT ACCEPT && \
iftable mangle -P PREROUTING ACCEPT && \
iftable mangle -P OUTPUT ACCEPT && \
success $"Resetting built-in chains to the default ACCEPT policy" || \
failure $"Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/iptables
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;
condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;
status)
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for table in $tables; do
echo $"Table: $table"
iptables -t $table --list
done
;;
panic)
echo -n $"Changing target policies to DROP: "
iftable filter -P INPUT DROP && \
iftable filter -P FORWARD DROP && \
iftable filter -P OUTPUT DROP && \
iftable nat -P PREROUTING DROP && \
iftable nat -P POSTROUTING DROP && \
iftable nat -P OUTPUT DROP && \
iftable mangle -P PREROUTING DROP && \
iftable mangle -P OUTPUT DROP && \
success $"Changing target policies to DROP" || \
failure $"Changing target policies to DROP"
echo
iftable filter -F INPUT && \
iftable filter -F FORWARD && \
iftable filter -F OUTPUT && \
iftable nat -F PREROUTING && \
iftable nat -F POSTROUTING && \
iftable nat -F OUTPUT && \
iftable mangle -F PREROUTING && \
iftable mangle -F OUTPUT && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
iftable filter -X INPUT && \
iftable filter -X FORWARD && \
iftable filter -X OUTPUT && \
iftable nat -X PREROUTING && \
iftable nat -X POSTROUTING && \
iftable nat -X OUTPUT && \
iftable mangle -X PREROUTING && \
iftable mangle -X OUTPUT && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
;;
save)
echo -n $"Saving current rules to $IPTABLES_CONFIG: "
touch $IPTABLES_CONFIG
chmod 600 $IPTABLES_CONFIG
/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
success $"Saving current rules to $IPTABLES_CONFIG" || \
failure $"Saving current rules to $IPTABLES_CONFIG"
echo
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
exit 1
esac
exit 0