3.9. Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down

Problem

Your three new iptables scripts (see previous recipes) are tested and ready to be put to work—you have fw_nat,a fw_status script, and the fw_flush script. You want your firewall to start automatically at boot, and you want to start, stop, and check iptables status manually like any other service. How do you do this?

Solution

First, get rid of any existing firewall scripts, including any that came with your Linux distribution. On Fedora Linux and all of its relatives, also remove the iptables-save and iptables-restore scripts to prevent conflicts and accidental changes.

The different Linux distributions manage starting and stopping iptables in all sorts of different ways. This init script, called firewall, is as simple as it gets, and it works on any Linux. It calls the scripts used in the previous three recipes, so be sure you already have those tested and ready to use:

	#!/bin/sh
	##/etc.init.d/firewall
	# simple start-stop init script for iptables
	# start builds the firewall, stop flushes
	# all rules and resets default policies to ACCEPT
	# restart runs the start and stop commands
	# status displays all active rules, and packet and byte counters
	# chkconfig: 2345 01 99

	startfile="/usr/local/bin/fw_nat"
	stopfile="/usr/local/bin/fw_flush"
	statusfile="/usr/local/bin/fw_status"

	case "$1" in
	  start)
	         echo "Starting $startfile: iptables is now starting up"
	         /bin/sh $startfile start
	         ;;

	  stop)
	        echo "Stopping $stopfile: iptables is now stopped, all rules and
	        chains are flushed, and default policies are set to ACCEPT"
	    /bin/sh $stopfile stop
	        ;;

	  status)
	        /bin/sh $statusfile status
	        ;;

	  restart)
	        /bin/sh $stopfile stop
	        echo "The firewall has stopped."
	        /bin/sh $startfile start
	        echo "The firewall has now restarted."
	        ;;

	esac

Put this script in /etc/init.d, then use your distribution's runlevel manager to start it at boot. On Debian, use the updated-rc.d command to start it on runlevels 2, 3, 4, and 5, and stop it on runlevels 0, 1, and 6:

	# update-rc.d firewall start 01 2 3 4 5 . stop 99 0 1 6 .

On Fedora, use chkconfig:

	# chkconfig firewall --add
	# chkconfig firewall on

Now, you can manage it with the standard init.d-style commands:

	# /etc/init.d/firewall start|stop|status|restart

You may also run the scripts individually if you prefer. It's a simple, flexible scheme that is easy to customize.

Discussion

Give /etc/init.d/firewall the highest priority at startup, and lowest priority for shutdown, because you want it to come up first and shut down last. Theoretically, if networking started first, an attacker could exploit the unprotected milliseconds before the firewall came up.

Keep in mind that you are not starting and stopping a daemon, but loading rules into memory, then flushing rules out of memory and setting a default ACCEPT policy. iptables works in the kernel—it's not a service.

These scripts should work on any Linux, so you only need to learn one way to manage iptables. They are as simple as possible to keep them understandable and maintainable. Ace scripting gurus are welcome to add error and sanity checks, and gussy them up as much as they like.

Every Linux distribution handles iptables a bit differently. Fedora and its ilk store the rules in the /etc/sysconfig/iptables file, which is sourced from the /etc/init.d/iptables script. The Red Hat manual teaches users to enter their iptables commands on the command line, then use the /sbin/service iptables save command to write the rules to the /etc/sysconfig/iptables file. This is a nice way to create, test, and edit new rules if you are proficient enough to create them on the fly.

Debian Sarge has a different way of handling iptables. It does not use an /etc/init.d script anymore, but instead expects the user to control iptables with ifupdown. This means adding inline directives in /etc/network/interfaces, or placing scripts in the /etc/network/*.d directories, and then iptables goes up or down with the network interfaces.

See Also

• man 8 iptables

• The Red Hat System Administration Manual: https://www.redhat.com/docs/

• Debian users read /usr/share/doc/iptables/examples/oldinitdscript.gz and /usr/share/ doc/iptables/README.Debian.gz

• Chapter 1, "Overview of TCP/IP," in TCP/IP Network Administration, by Craig Hunt (O'Reilly)

• Oskar Andreasson's Iptables Tutorial: http://iptables-tutorial.frozentux.net/