Results 1 to 14 of 14
-
12-28-2005, 01:57 PM #1Web Hosting Evangelist
- Join Date
- Dec 2001
- Posts
- 518
How to find IPtables (I can't restart iptables without a reboot)
I've inherited a Fedora Core 3 machine that acts as our firewall. I simply edit:
/etc/iptables/filter.sh
or
/etc/iptables/nat.sh
and put in any rules I'd like to change.
The problem is that typing:
service iptables restart
doesn't really do anything. Service iptables anything then service iptables status returns that Iptables is stopped.
My guess is that there are a couple copies of iptables on the box, and it's an alternative one thats running. Any ideas on how to track down the location of the iptables that are running, to that I can restart the service without doing a reboot?
more info:
[root@FWLHQ001 ~]# whereis iptables
iptables: /sbin/iptables /etc/iptables /lib/iptables /usr/share/man/man8/iptables.8.gzKeep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?
-
12-28-2005, 02:26 PM #2Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 703
you would need to setup a shell script to turn it on and off like the one below
Code:#!/bin/bash # Control IPTABLE rules # path to iptable IPTABLE_PATH=/bin # set interface IFACE=eth0 # End of configuration test -x $SNORT_PATH/snort || exit 0 case "$1" in start) # insert IPTABLE rules here iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT ;; stop) # flush IPTABLE rules here iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ;; restart) # flush IPTABLE rule # Reset IPTABLE rules iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT ;; *) echo 'you can only use start - stop - restart with this script' exit 1 ;; esac exit 0 ;;
and then you can /etc/inint.d/rc.3/iptables stop
-
12-28-2005, 02:31 PM #3Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Someone has beat me too responding,
Put the above script in /etc/init.d/iptables , however if you already have one(because you said it is showing stopped), paste that one.Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
12-28-2005, 02:32 PM #4Web Hosting Evangelist
- Join Date
- Dec 2001
- Posts
- 518
I guess I'm really trying to learn how this server is setup (reinventing the wheel...). Iptables is running, because we are getting routed around and whatnot. If I type "service iptables status" i get "Firewall is stopped."
So I guess iptables is not really running as a service. Do you think it's being loaded by some startup script?Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?
-
12-28-2005, 02:35 PM #5Web Hosting Evangelist
- Join Date
- Dec 2001
- Posts
- 518
fyi, i do have a /etc/init.d/iptables file
Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?
-
12-28-2005, 02:41 PM #6Web Hosting Evangelist
- Join Date
- Dec 2001
- Posts
- 518
Here's a copy of my /etc/init.d/iptables file
Code:#!/bin/sh # # iptables Start iptables firewall # # chkconfig: 2345 08 92 # description: Starts, stops and saves iptables firewall # # config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config # Source function library. . /etc/init.d/functions IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES if [ ! -x /sbin/$IPTABLES ]; then echo -n $"/sbin/$IPTABLES does not exist."; warning; echo exit 0 fi if lsmod 2>/dev/null | grep -q ipchains ; then echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo exit 0 fi # Old or new modutils /sbin/modprobe --version 2>&1 | grep -q module-init-tools \ && NEW_MODUTILS=1 \ || NEW_MODUTILS=0 # Default firewall configuration: IPTABLES_MODULES="" IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" IPTABLES_STATUS_NUMERIC="yes" # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" rmmod_r() { # Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. local mod=$1 local ret=0 local ref= # Get referring modules. # New modutils have another output format. [ $NEW_MODUTILS = 1 ] \ && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` # recursive call for all referring modules for i in $ref; do rmmod_r $i let ret+=$?; done # Unload module. # The extra test is for 2.6: The module might have autocleaned, # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then modprobe -r $mod > /dev/null 2>&1 let ret+=$?; fi return $ret } flush_n_delete() { # Flush firewall rules and delete chains. [ -e "$PROC_IPTABLES_NAMES" ] || return 1 # Check if firewall is configured (has tables) tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 echo -n $"Flushing firewall rules: " ret=0 # For all tables for i in $tables; do # Flush firewall rules. $IPTABLES -t $i -F; let ret+=$?; # Delete firewall chains. $IPTABLES -t $i -X; let ret+=$?; # Set counter to zero. $IPTABLES -t $i -Z; let ret+=$?; done [ $ret -eq 0 ] && success || failure echo return $ret } set_policy() { # Set policy for configured tables. policy=$1 # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 echo -n $"Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " case "$i" in filter) $IPTABLES -t filter -P INPUT $policy \ && $IPTABLES -t filter -P OUTPUT $policy \ && $IPTABLES -t filter -P FORWARD $policy \ || let ret+=1 ;; nat) $IPTABLES -t nat -P PREROUTING $policy \ && $IPTABLES -t nat -P POSTROUTING $policy \ && $IPTABLES -t nat -P OUTPUT $policy \ || let ret+=1 ;; mangle) $IPTABLES -t mangle -P PREROUTING $policy \ && $IPTABLES -t mangle -P POSTROUTING $policy \ && $IPTABLES -t mangle -P INPUT $policy \ && $IPTABLES -t mangle -P OUTPUT $policy \ && $IPTABLES -t mangle -P FORWARD $policy \ || let ret+=1 ;; *) let ret+=1 ;; esac done [ $ret -eq 0 ] && success || failure echo return $ret } start() { # Do not start if there is no config file. [ -f "$IPTABLES_DATA" ] || return 1 echo -n $"Applying $IPTABLES firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IPTABLES-restore $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; return 1 fi # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"Loading additional $IPTABLES modules: " ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi touch $VAR_SUBSYS_IPTABLES return $ret } stop() { # Do not stop if iptables module is not loaded. [ -e "$PROC_IPTABLES_NAMES" ] || return 1 flush_n_delete set_policy ACCEPT if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then echo -n $"Unloading $IPTABLES modules: " ret=0 rmmod_r ${IPV}_tables let ret+=$?; rmmod_r ${IPV}_conntrack let ret+=$?; [ $ret -eq 0 ] && success || failure echo fi rm -f $VAR_SUBSYS_IPTABLES return $ret } save() { # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 echo -n $"Saving firewall rules to $IPTABLES_DATA: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0 TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ && chmod 600 "$TMP_FILE" \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ || ret=1 if [ $ret -eq 0 ]; then if [ -e $IPTABLES_DATA ]; then cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ && chmod 600 $IPTABLES_DATA.save \ || ret=1 fi if [ $ret -eq 0 ]; then cp -f $TMP_FILE $IPTABLES_DATA \ && chmod 600 $IPTABLES_DATA \ || ret=1 fi fi [ $ret -eq 0 ] && success || failure echo rm -f $TMP_FILE return $ret } status() { # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable module is loaded if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then echo $"Firewall is stopped." return 1 fi # Check if firewall is configured (has tables) if [ ! -e "$PROC_IPTABLES_NAMES" ]; then echo $"Firewall is not configured. " return 1 fi tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` if [ -z "$tables" ]; then echo $"Firewall is not configured. " return 1 fi NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" for table in $tables; do echo $"Table: $table" $IPTABLES -t $table --list $NUM && echo done return 0 } restart() { [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save stop start } case "$1" in start) stop start RETVAL=$? ;; stop) [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save stop RETVAL=$? ;; restart) restart RETVAL=$? ;; condrestart) [ -e "$VAR_SUBSYS_IPTABLES" ] && restart ;; status) status RETVAL=$? ;; panic) flush_n_delete set_policy DROP RETVAL=$? ;; save) save RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" exit 1 ;; esac exit $RETVAL ~
Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?
-
12-28-2005, 02:50 PM #7Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Your init.d script is fine,
service iptables start
will have iptables running, however if its running and returning stopped all the time then the lock file is invalid.
Which in this case is
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
does /var/lock/subsys/iptables exist? Have you tried reinstalling iptables?
Just remove the rpm and install the rpm again.Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
12-28-2005, 02:53 PM #8Web Hosting Evangelist
- Join Date
- Dec 2001
- Posts
- 518
Iptables works great, so I'm hesitant to reinstall. it seems to be a custom version (I add rules to seperate xxx.sh files). I'm the new guy here, so I don't want to break something that to all users appears to be working fine.
/var/lock/subsys/$IPTABLES Does not exist. Would a simple "touch $IPTABLES" correct this?Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?
-
12-28-2005, 03:02 PM #9Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
no no,
/var/lock/subsys/iptables
However, the iptables init.d script is not needed by the looks of it, I have never really looked into it.
I get firewall is stopped on RHEL4 when it is infact running, just looks like a problem with the init.d script which is the oringal.
Not really sure what too say since I have never even bothered to look at this before, seems interesting though.Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
12-28-2005, 03:15 PM #10Web Hosting Evangelist
- Join Date
- Dec 2001
- Posts
- 518
on your RHEL 4, how do you restart IPtables? I assume you type
service iptables restart
When I do that, iptables just kind of dies, and stops routing, and from then on it says that IPtables would not start. I'm forced to reboot to get iptables up again.Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?
-
12-28-2005, 03:20 PM #11Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
What happens when you do
service iptables restart
then
iptables -L
Does it have your rules? Do you have any rules setup to load on boot?
What does /etc/rc.local contain?Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
12-28-2005, 03:39 PM #12Web Hosting Evangelist
- Join Date
- Dec 2001
- Posts
- 518
we have a ton of rules, setup in filter.sh / nat.sh / arp.sh / routes.sh These are automatically loaded into iptables.
I'll have to wait until tonight to do the service iptables restart, because it will force me to reboot the server in order to the the office online again.
cd /etc/rc.local
-bash: cd: /etc/rc.local: Not a directory
Finally, since iptables is running, shouldn't I be able to see it by typing "pu -aux"? I currently can'tKeep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?
-
12-28-2005, 03:40 PM #13Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
rc.local is a file.
cat /etc/rc.localServer Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
12-28-2005, 03:51 PM #14Web Hosting Evangelist
- Join Date
- Dec 2001
- Posts
- 518
cat /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/usr/local/samba/sbin/smbdKeep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?