A persistent iptables startup script for Debian based systems
From Ubuntucy Wiki
Persistent iptable rules in Debian based systems.
One feature I always liked on RedHat based systems was the presence of an iptables startup script that you could invoke to start or stop the iptables rules. In debian there are many different cli and gui frontends to iptables but most of them involve learning new syntax and configuration options. In RedHat all rules are saved in a file in the iptables-save format and are restored with the iptables-restore option. Since squeeze (debian testing) a package has appeared with similar functionality. Its name is iptables-persistent and it simply starts the rules using an /etc/iptables/rules file. Since I wanted more customization I tweaked the file to match my needs.
To install iptables-perstent:
aptitude install iptables-persistent
The original version:
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: mountkernfs $local_fs
# Required-Stop: $local_fs
# Default-Start: S
# Default-Stop:
# Short-Description: Set up iptables rules
### END INIT INFO
case "$1" in
start)
if [ -f /etc/iptables/rules ]; then
iptables-restore </etc/iptables/rules
fi
stop|force-stop|restart|force-reload|status)
;;
*)
echo "Usage: $0 {start|stop|force-stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
The modified version:
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: mountkernfs $local_fs
# Required-Stop: $local_fs
# Default-Start: S
# Default-Stop:
# Short-Description: Set up iptables rules
### END INIT INFO
PATH="/sbin:/bin:/usr/sbin:/usr/bin"
# Include config file for iptables-persistent
. /etc/iptables/iptables.conf
case "$1" in
start)
if [ -e /var/run/iptables ]; then
echo "iptables is already started!"
exit 1
else
touch /var/run/iptables
fi
if [ $ENABLE_ROUTING -ne 0 ]; then
# Enable Routing
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
# Load Modules
modprobe -a $MODULES
# Load saved rules
if [ -f /etc/iptables/rules ]; then
iptables-restore </etc/iptables/rules
fi
;;
stop|force-stop)
if [ ! -e /var/run/iptables ]; then
echo "iptables is already stopped!"
exit 1
else
rm /var/run/iptables
fi
if [ $SAVE_NEW_RULES -ne 0 ]; then
# Backup old rules
cp /etc/iptables/rules /etc/iptables/rules.bak
# Save new rules
iptables-save >/etc/iptables/rules
fi
# Restore Default Policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Flush rules on default tables
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Unload previously loaded modules
modprobe -r $MODULES
# Disable Routing if enabled
if [ $ENABLE_ROUTING -ne 0 ]; then
# Disable Routing
echo 0 > /proc/sys/net/ipv4/ip_forward
fi
;;
restart|force-reload)
$0 stop
$0 start
;;
status)
echo "Filter Rules:"
echo "--------------"
iptables -L -v
echo ""
echo "NAT Rules:"
echo "-------------"
iptables -t nat -L -v
echo ""
echo "Mangle Rules:"
echo "----------------"
iptables -t mangle -L -v
;;
*)
echo "Usage: $0 {start|stop|force-stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
And the config file:
# A basic config file for the /etc/init.d/iptable-persistent script # # Should new manually added rules from command line be saved on reboot? Assign to a value different that 0 if you want this enabled. SAVE_NEW_RULES=0 # Modules to load: MODULES="nf_nat_ftp nf_conntrack_ftp nf_nat_irc nf_conntrack_irc" # Enable Routing? ENABLE_ROUTING=1
The "SAVE_NEW_RULES" option controls whether you need to save the new iptables rules when you run /etc/init.d/iptables-persistent stop. In my scenario I don't need this but it could be a useful option in some cases. The "MODULES" option is used to define the option to loaded when you run /etc/init.d/iptables-persistent start. The "ENABLE_ROUTING" option defines if you need routing (forwarding) between the interfaces of the system.
