OReilly.Linux.Security.Cookbook.pdf

Ipchains r chain 2 specification 2183 discussion when

This preview shows page 105 - 111 out of 566 pages.

# ipchains -R chain 2 ...specification... 2.18.3 Discussion When you insert a rule at position N in a chain, the old rule N becomes rule N+1, rule N+1 becomes rule N+2, and so on. To see the rules in a chain in order, so you can determine the right numeric offset, list the chain with -L . [ Recipe 2.16 ] 2.18.4 See Also iptables(8), ipchains(8). [ Team LiB ] 1 1
Image of page 105

Subscribe to view the full document.

2 2
Image of page 106
[ Team LiB ] Recipe 2.19 Saving a Firewall Configuration 2.19.1 Problem You want to save your firewall configuration. 2.19.2 Solution Save your settings: For iptables : "docText">For ipchains: # ipchains-save > /etc/sysconfig/ipchains The destination filename is up to you, but some Linux distributions (notably Red Hat) refer to the files we used, inside their associated /etc/init.d scripts. 2.19.3 Discussion ipchains-save and iptables-save print your firewall rules in a text format, readable by ipchains-restore and iptables-restore , respectively. [ Recipe 2.20 ] Our recipes using iptables-save , iptables-restore , ipchains-save , and ipchains-restore will work for both Red Hat and SuSE. However, SuSE by default takes a different approach. Instead of saving and restoring rules, SuSE builds rules from variables set in /etc/sysconfig/SuSEfirewall2 . 2.19.4 See Also iptables-save(8), ipchains-save(8), iptables(8), ipchains(8). [ Team LiB ] 1 1
Image of page 107

Subscribe to view the full document.

2 2
Image of page 108
[ Team LiB ] Recipe 2.20 Loading a Firewall Configuration 2.20.1 Problem You want to load your firewall rules, e.g., at boot time. 2.20.2 Solution Use ipchains-restore or iptables-restore . Assuming you've saved your firewall configuration in /etc/sysconfig : [ Recipe 2.19 ] For iptables : #!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward (optional) iptables-restore < /etc/sysconfig/iptables For ipchains : #!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward (optional) ipchains-restore < /etc/sysconfig/ipchains To tell Red Hat Linux that firewall rules should be loaded at boot time: # chkconfig iptables on # chkconfig ipchains on 2.20.3 Discussion Place the load commands in one of your system rc files. Red Hat Linux already has rc files "iptables" and "ipchains" in /etc/init.d that you can simply enable using chkconfig . SuSE Linux, in contrast, has a script /sbin/SuSEpersonal-firewall that invokes iptables or ipchains rules, and it's optionally started by /etc/init.d/personal-firewall.initial and /etc/init.d/personal-firewall.final at boot time. To roll your own solution, you can write a script like the following and invoke it from an rc file of your choice: #!/bin/sh # Uncomment either iptables or ipchains PROGRAM=/usr/sbin/iptables #PROGRAM=/sbin/ipchains FIREWALL=`/bin/basename $PROGRAM` RULES_FILE=/etc/sysconfig/${FIREWALL} LOADER=${PROGRAM}-restore FORWARD_BIT=/proc/sys/net/ipv4/ip_forward if [ ! -f ${RULES_FILE} ] then echo "$0: Cannot find ${RULES_FILE}" 1>&2 exit 1 1 1
Image of page 109

Subscribe to view the full document.

fi case "$1" in start) echo 1 > ${FORWARD_BIT} ${LOADER} < ${RULES_FILE} || exit 1 ;; stop) ${PROGRAM} -F # Flush all rules ${PROGRAM} -X # Delete user-defined chains echo 0 > ${FORWARD_BIT} ;; *) echo "Usage: $0 start|stop" 1>&2 exit 1 ;; esac Make sure you load your firewall rules for all appropriate runlevels where networking is enabled. On most systems this includes runlevels 2 (multiuser without NFS), 3 (full multiuser), and 5 (X11). Check /etc/inittab
Image of page 110
Image of page 111

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern