Do you use let's encrypt?





6370 votes ~ 21 comments

 

Restoring iptables Automatically On Boot

Posted by jawnsy on Tue 9 Sep 2008 at 11:55

There used to be a script to do it automatically via init.d files, but now the suggested method is to use ifup.d networking scripts, which are executed on state changes of the network interfaces. So I submit here my simple script, which does the trick for me nicely.

I tested this on Debian unstable (lenny/sid)

Drop this script into /etc/network/if-pre-up.d in a file called iptables

#!/bin/sh

# Load iptables rules before interfaces are brought online
# This ensures that we are always protected by the firewall
#
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via the serial tty interface.
#

RESTORE=/sbin/iptables-restore
STAT=/usr/bin/stat
IPSTATE=/etc/iptables.conf

test -x $RESTORE || exit 0
test -x $STAT || exit 0

# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
  echo "Permissions for $IPSTATE must be 600 (rw-------)"
  exit 0
fi

# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be
# zeroed per our previous check; but we must make sure root owns it.
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then
  echo "The superuser must have ownership for $IPSTATE (uid 0)"
  exit 0
fi

# Now we are ready to restore the tables
$RESTORE < $IPSTATE

Then make sure you make the script executable:

chmod +x iptables
chown root:root iptables

It loads the settings from $IPSTATE - by default, /etc/iptables.conf. You have to save the rules manually; this ensures that you make sure your rules are working properly (i.e. doesn't block you from logging in remotely, for example) before you decide to save them.

You do this running the command: "iptables-save > /etc/iptables.conf" (or whatever file you have chosen to use as your $IPSTATE file)

 

 


Re: Restoring iptables Automatically On Boot
Posted by madduck (130.60.xx.xx) on Tue 9 Sep 2008 at 14:24
Why test permissions like you do? I suggest to verify that root owns the file and that group/other can't write to it instead. Otherwise you're too restrictive/paranoid. The file can and should be 0644 in my world.

Check out /usr/sbin/iptables-apply as well.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by jawnsy (99.255.xx.xx) on Wed 10 Sep 2008 at 01:08
I wanted to ensure 0600 because, on an untrusted machine (for example a public one with many users) it doesn't make sense to allow people to see iptables rules. They don't need to know anything about the characteristics of the firewall, in my mind.

I think, of course, "too restrictive/paranoid" varies from one scenario to another. And yes 0644 does work. What I really should have done is allowed the permissions part to be changed at-will, so maybe in an upcoming version of the script I will do so.

Thanks for your suggestion.

On another note, I read /usr/sbin/iptables-apply and can't figure out how it's any more useful than doing an iptables-save and iptables-restore manually. Perhaps you can enlighten me there?

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by madduck (130.60.xx.xx) on Wed 10 Sep 2008 at 09:47
Of course local users don't need to know anything about the firewall, but it doesn't hurt. Or rather: it should not hurt! Your firewall must be designed to secure the system without any use of obscurity!

To understand iptables-apply, run iptables-restore with a ruleset that you hand-edited and where you made a mistake which would lock you out. iptables-apply reverts the ruleset unless you confirm that you can make new connections to the machine within a given time. It has saved me a lot of grief.

http://madduck.net/blog/2006.06.04:iptables-apply/

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (87.194.xx.xx) on Tue 9 Sep 2008 at 18:28
Surely it's simpler to do this in /etc/network/interfaces...? E.g.

iface eth0 inet static
...
pre-up iptables-restore < /etc/iptables-eth0.conf

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by jawnsy (129.100.xx.xx) on Wed 10 Sep 2008 at 14:53
It is simpler, but not exactly the Debian Way.

Your method is indeed, simple, but consider that you are lacking all of the checks I have in place - testing that it is owned by root, testing permissions. Without these, anyone can write to the file, which makes it dangerous to load as a firewall ruleset.

Secondly, what I mean by it not being the "Debian Way" is that it's not in a separate .d file. Those .d directories are very useful because you can simply move files in and out of there, whereas you'd have to do a bit more work editing config files otherwise.

The .d structure allows debian packages to do most of their magic, as well as the Apache2 a2enmod scripts et al.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (85.243.xx.xx) on Thu 11 Sep 2008 at 16:42
How does a non root user do what you say?
I mean, one would save the rules as root, in a directory, say, iptables, created by root.
You can't change interfaces if you're not root, and you can't tamper with the file.

Help me if i'm missing something, i'm new to this.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by jawnsy (129.100.xx.xx) on Fri 12 Sep 2008 at 17:37
Sure, if you save it as root then the file will be owned by root. But if you accidentally (or someone intentionally) modifies the permissions of it, or changes the ownership, iptables-restore will simply load the rules blindly.

It's safer to actually check ownership and permissions before loading those; otherwise if you accidentally leave the file as 666 or 777 or otherwise writable by others, then it becomes vulnerable.

When you do the first save of your iptables rules, most people would check that the permissions are set correctly. But you never know if another script or another administrator changes the permissions, and you want to make sure that you don't load anything dangerous.

The only thing is that you may wish to relax the permissions up to 0644, because others have commented that there may be no need or benefit from hiding the file contents from non-root users.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Jubei (180.18.xx.xx) on Tue 20 Mar 2012 at 15:40
Please correct me if I'm wrong. If an attacker has managed to gain enough privileges to alter the file containing the firewall rules (or it's permissions), wouldn't he be able to also alter your .d script to achieve his goals?

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (190.55.xx.xx) on Wed 10 Sep 2008 at 00:17
With restore you are replacing any already loaded rule (consider interaction with fail2ban, for example) and the iptables-save format is quite unreadable. So I would prefer using other options, like ferm or creating a iptables script per board.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by jawnsy (129.100.xx.xx) on Wed 10 Sep 2008 at 14:57
This is true. I don't personally use fail2ban and am a fan of the iptables recent module instead.

I don't think iptables-save is unreadable at all - it just dumps whatever you throw into iptables in the beginning. But yes, if you have a large rulset generated by a script like fail2ban, then you are going to have a huge script.

Still, the script only does the iptables-restore part, so just don't manually save anything, which should prevent it from dumping a huge ruleset. Just load a basic set of rules that should always be in place, and then fail2ban can add more, and at the next reboot, the basic rules will be restored, but the fail2ban ones will be cleared.

In conclusion, you still *could* use this for what you want, but it does make it more complicated as iptables-save has no way of knowing which rules are added by fail2ban and which are added manually.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (190.169.xx.xx) on Fri 12 Sep 2008 at 17:00
Sorry, I don't see "if-pre-up.d" in /etc/init.d in Debian 4.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by jawnsy (129.100.xx.xx) on Fri 12 Sep 2008 at 17:27
Oops, I missed that. I typo'd there, it is supposed to be /etc/network/if-pre-up.d - corrected in the article, thanks for the comment!

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (129.101.xx.xx) on Sat 13 Sep 2008 at 01:13
Could you run something similar from /etc/network/if-post-down.d to save the current state before shutdown just in case you forget to do it during those few-and-far-between reboots?

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by jawnsy (129.100.xx.xx) on Tue 30 Sep 2008 at 15:51
In theory, yes you can. However, I wouldn't recommend it; as mentioned in the initial article, the reason being is that, if you add a bad rule by mistake, you simply have to reboot in order to get back to a working version.

Saves should be pretty infrequent and should be done manually. The philosophy here is that, if your machine doesn't shut down cleanly anyway, you're going to lose the rule. So best to save right after you add new rules.

Hope this helps!

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by fugit (199.2.xx.xx) on Mon 29 Sep 2008 at 18:54
[ View Weblogs ]
I like the security checks of file permissions. Like others stated fail2ban puts a hamper on this method in my case. I prefer to use a script and call it via pre-up in the interfaces file.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by jawnsy (129.100.xx.xx) on Tue 30 Sep 2008 at 14:53
As I mentioned before, I don't think it hampers your setup at all.

I would do something like this:
1. Take the machine offline
2. Set up the base rules as you would like them (allow incoming connections to port 80, etc)
3. Save the rules
4. Load fail2ban

Then the new rules that are added won't be restored upon boot. The downside, of course, is that if you ever need to change the settings, you would have to take the machine offline again (or otherwise make it "safe" from outside attacks), flush the rules, load the rules (manually using iptables-restore or using the script)

Then, you'd add the rules you needed, save them again, and let fail2ban do its work as per usual.

If you also read about chaining, you may be able to add a special chain for fail2ban. Then use a -j FAIL2BAN chain... Then simply prevent iptables-save from saving the FAIL2BAN chain (hopefully this can be accomplished via some command line options)

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by l4ncel0t (82.66.xx.xx) on Fri 3 Oct 2008 at 10:19
hi

I just generate a script with firewall builder and put it in
/etc/network/if-pre-up.d automaticaly from firewall builder

work very well

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (62.68.xx.xx) on Tue 7 Oct 2008 at 12:19
I have made package iptables-service, which runs like it done in redhat.

After installing, you can use it like this:

debian:/var/www/debian# iptables -I FILTER 10 -j ACCEPT -s 12.34.56.78

debian:/var/www/debian# service iptables save
Saving firewall rules to /etc/iptables-service/iptables: OK.

Look for it at http://debian.nikolas.ru/debian/

Comments are welcome.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by LesleyB (86.149.xx.xx) on Sat 11 Oct 2008 at 09:38
[ View Weblogs ]
Mmmm does this 'Debian way' apply to the stable branch, I wonder.

And there I was happily hacking away at my own iptables scripts in /etc/init.d. Ah well ...

IIRC the advantage of the /etc/network/if-[pre|post]-[up|down].d is optimal inclusion at startup/shutdown




[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (217.79.xx.xx) on Mon 27 Oct 2008 at 18:07
This is good when using Debian on desktop.

But for my router with ~10 interfaces and stable (changing rarely) iptables rules - init.d script more optimal and usable solution ;-)

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by LesleyB (86.135.xx.xx) on Mon 27 Oct 2008 at 18:27
[ View Weblogs ]
Well ... that's okay then :)

Some people have the view firewalls aren't needed on a server but I like running one and I'm happy to stick with the /etc/init.d method.

Regards

Lesley


[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (83.12.xx.xx) on Sat 25 Oct 2008 at 04:17
I think setting iptables rules in pre-up/pre-up.d is a bad idea.
Those scripts will be run everytime admin ifup-s interface.
In case of pre-up.d script, script will run many times during boot if there is more than one interface started.
Every time interface is brought down, current rules must be saved, or else on subsequent interface up all manual rules changes will be lost.

Can someone tell any upsides of 'pre-up' solution?

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (86.61.xx.xx) on Tue 23 Dec 2008 at 20:33
I never use iptables-save automatically. Every time a interface is brought down, I simply restore a drop all iptables rule (or drop all except ssh), else load the appropriate settings for currently loading interface.

Imho it is really bad to automate configuration of such things, the admin must know that his rules will get lost if he doesn't store them. What if he does something stupid and blocks himself out and has a script that automatically reboots the machine (tries to restore things) after some time of no response? The shutdown process would store his error and he will then need physical access to the machine to correct it.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (85.178.xx.xx) on Fri 31 Oct 2008 at 15:12
Very nice, thanks for the information as I never really knew where to put the iptables-script...

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (217.216.xx.xx) on Mon 4 Apr 2011 at 01:57
For reference just in case someone came here googling or ducking: since Squeeze there's a package called iptables-persistent.

This package contains just a system startup script that restores iptables rules from a configuration file

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (82.67.xx.xx) on Thu 2 Feb 2012 at 19:39
Thanks for this useful information. Indeed, I came by googling, and your comment was precious.

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (178.194.xx.xx) on Thu 7 Feb 2013 at 21:21
came by googling too, thank you 217.216.xx.xx

[ Parent | Reply to this comment ]

Re: Restoring iptables Automatically On Boot
Posted by Anonymous (67.159.xx.xx) on Mon 26 Oct 2015 at 20:25
Just found and installed 'apt-get install iptables-persistent' on my bare Debian GNU/Linux 7.5 (wheezy) server. Works great.

[ Parent | Reply to this comment ]