Where to put my own iptables rules?

[stuffie]

I have iptables running, but want to add the following rule to it:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If i put it in /etc/sysconfig/iptables, then it is gone the next time i run system-config-securitylevel. Thats why /etc/sysconfig/iptables says "# Manual customization of this file is not recommended." (I hate comments like this btw).

Now when I put it in /etc/rc.d/rc.local, the rule is gone the next time i run "service iptables restart".

What does fedora expect me to do? Do I have to put the rule in /etc/init.d/iptables?

-- Stefan

[vinu]

Quote:

Originally Posted by stuffie

If i put it in /etc/sysconfig/iptables, then it is gone the next time i run system-config-securitylevel. Thats why /etc/sysconfig/iptables says "# Manual customization of this file is not recommended." (I hate comments like this btw).

You can modify the contents of /etc/sysconfig/iptables using the iptables-save script.

Quote:

Now when I put it in /etc/rc.d/rc.local, the rule is gone the next time i run "service iptables restart".

The right place to put it in FC3 is /etc/sysconfig/iptables

Quote:

What does fedora expect me to do? Do I have to put the rule in /etc/init.d/iptables?

Load your firewall rule using iptables, and then save it to /etc/sysconfig/iptables using the following script from a console (logged as root)
/sbin/iptables-save > /etc/sysconfig/iptables

[stuffie]

Sorry, but your answer does not solve it.

Again, when i save new firewall settings with system-config-securitylevel, my rule is gone. Editing /etc/sysconfig/iptables is not recommended according to the fedora developers.

anyone else?

[bell]

All I had to do to make a rule permanent in my system was to run

Code:

iptables -I RH-Firewall-1-INPUT 8 -p tcp --dport 5901 -j ACCEPT

as root... (This is to allow vnc ...)

If you want to look at your ip-tables settings, you have the command

Code:

iptables -nL -v --line-numbers

It also prints the line numbers if you want to specify in which line you want to insert your rule... (I'm running FC3, btw)

[stuffie]

Quote:

Originally Posted by bell

All I had to do to make a rule permanent in my system was to run

Code:

iptables -I RH-Firewall-1-INPUT 8 -p tcp --dport 5901 -j ACCEPT

Yes, i understand, but the system-config-securitylevel program understands your rule and mine not. That's the difference.

[bell]

Quote:

Originally Posted by stuffie

Yes, i understand, but the system-config-securitylevel program understands your rule and mine not. That's the difference.

Ah, I see.

Perhaps this will help?
http://www.jimohalloran.com/archives/000109.html

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

[stuffie]

omg, i have no problems running nat :|

I just want to know the right place to put my own iptables rule.

[Dog-One]

If by chance you are using pppd for a dialup connection as I am, there is a place in /etc/ppp. I put my custom rules in a file /etc/ppp/firewall-masq and then call the script from /etc/ppp/ip-up.local. When I go offline I call /etc/ppp/firewall-standalone from /etc/ppp/ip-down.local.

If you're not messing with pppd, then ignore above. I understand the situation--there's a nice GUI app (system-config-securitylevel) that does almost everything I want except one thing that I need. It's kind of a hack but you could modify /etc/init.d/iptables by adding an entry (in orange) to the file

Code:

start() {
    # Do not start if there is no config file.
    [ -f "$IPTABLES_DATA" ] || return 1

    echo -n $"Applying $IPTABLES firewall rules: "

    OPT=
    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

    $IPTABLES-restore $OPT $IPTABLES_DATA
    $IPTABLES-restore $OPT $MY_IPTABLES_DATA
    if [ $? -eq 0 ]; then
        success; echo
    else
        failure; echo; return 1
    fi

    # Load additional modules (helpers)
    if [ -n "$IPTABLES_MODULES" ]; then
        echo -n $"Loading additional $IPTABLES modules: "
        ret=0
        for mod in $IPTABLES_MODULES; do
            echo -n "$mod "
            modprobe $mod > /dev/null 2>&1
            let ret+=$?;
        done
        [ $ret -eq 0 ] && success || failure
        echo
    fi

    touch $VAR_SUBSYS_IPTABLES
    return $ret
}

Then define $MY_IPTABLES_DATA to be a file of your choosing. This would work until you update the iptables package which would likely overwrite your modification.

Kind of a tough call, keeping things orginal yet adding functionality that you need. A better solution would be if system-config-securitylevel allowed you to have the rule you need.

[Drenon]

Similar to what Vinu mentioned - if you're manually setting up custom iptables rules on Fedora, you can do it this way - su to root in a terminal/Konsole first, then type:

# /sbin/service iptables stop

then - either type in your custom iptables rules "one after the other" at the prompt or load them - once you're custom iptables rules are active in memory, then save them to the /etc/sysconfig/iptables file with this command:

# /sbin/service iptables save

[stuffie]

Quote:

Originally Posted by Dog-One

I understand the situation--there's a nice GUI app (system-config-securitylevel) that does almost everything I want except one thing that I need. It's kind of a hack but you could modify /etc/init.d/iptables by adding an entry (in orange) to the file

Code:

start() {
      $IPTABLES-restore $OPT $IPTABLES_DATA
    $IPTABLES-restore $OPT $MY_IPTABLES_DATA

Then define $MY_IPTABLES_DATA to be a file of your choosing. This would work until you update the iptables package which would likely overwrite your modification.

Kind of a tough call, keeping things orginal yet adding functionality that you need. A better solution would be if system-config-securitylevel allowed you to have the rule you need.

Yes, you know exactly what i mean. I want to follow fedora advices, but it limits configuration possibilities.

However, I have added code to /etc/init.d/iptables, similar to yours. I dont like this method, but it works. Thanks for your reply.

[vinu]

Quote:

Originally Posted by stuffie

Again, when i save new firewall settings with system-config-securitylevel, my rule is gone.

That's pretty obvious. If you take a look at /etc/sysconfig/iptables, you will realise that you cannot add your rule into it directly using an editor. It has to be in a form that iptables-restore can parse.

What you need to do is to load your custom rule into memory and then save it to /etc/sysconfig/iptables using the iptables-save script. Once you do that, your rule will not disappear the next time you run your firewall update tool.

Quote:

Originally Posted by stuffie

Editing /etc/sysconfig/iptables is not recommended according to the fedora developers.

Partly right, partly wrong. Editing /etc/sysconfig/iptables is not recommended using an editor. But you can perfectly well modify it's contents using the iptables-save script. In fact, the contents of the file are created using the iptables-save script in the first place!