You are not logged in.

#1 2015-01-20 21:33:51

MutantJohn
Member
Registered: 2012-12-17
Posts: 95

Ensure that the firewall rules are activated every time you restart

I'm trying to set up a server and the Getting Started guide recommends doing this but it doesn't have Arch-specific instructions. How do I go about doing this?

The Debian/Ubuntu way which seems simple to me is :

sudo nano /etc/network/if-pre-up.d/firewall

and then copy this into the file :

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

And then making it executable for the current user/group.

Will this work on Arch? I'm just trying to be cautious.

What's the Arch way for re-instating rules upon a complete reboot of the system?

Offline

#2 2015-01-20 21:42:20

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: Ensure that the firewall rules are activated every time you restart

Well, there's iptables-save and there's

$ cat /usr/lib/systemd/system/iptables.service                                                                                                                   [~]
[Unit]
Description=Packet Filtering Framework

[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Last edited by lucke (2015-01-20 21:42:59)

Offline

#3 2015-01-20 22:49:06

MutantJohn
Member
Registered: 2012-12-17
Posts: 95

Re: Ensure that the firewall rules are activated every time you restart

Hmm.. I think I'm too dumb/new at this to get what you mean. I've literally never done this stuff before.

Offline

#4 2015-01-20 22:55:30

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: Ensure that the firewall rules are activated every time you restart

"iptables-save > /etc/iptables/iptables.rules" would save your current iptables rules to /etc/iptables/iptables.rules. Enabling iptables.service would load them on boot.

Offline

#5 2015-01-20 23:04:44

MutantJohn
Member
Registered: 2012-12-17
Posts: 95

Re: Ensure that the firewall rules are activated every time you restart

lucke wrote:

"iptables-save > /etc/iptables/iptables.rules" would save your current iptables rules to /etc/iptables/iptables.rules. Enabling iptables.service would load them on boot.

Thank you so much!

Offline

#6 2015-01-21 01:46:59

bleach
Member
Registered: 2013-07-26
Posts: 264

Re: Ensure that the firewall rules are activated every time you restart

Something I do is one enable iptables service (arch uses systemd) and then after done creating my tables rules I also create a alias

iptables=/etc/iptables/iptables.rules && iptables-save > /etc/iptables/iptables.rules && systemctl restart iptables

and call it something like ipreup or what ever.

Last edited by bleach (2015-01-21 01:50:38)

Offline

#7 2015-05-11 09:26:09

jonm
Member
Registered: 2015-05-11
Posts: 1

Re: Ensure that the firewall rules are activated every time you restart

This is not working for me.  I have:

/usr/lib/systemd/system/iptables.service contents exactly as detailed above.
/etc/iptables/iptables.rules contains valid rules which are applied when I run systemctl start iptables.

I have run systemctl enable iptables, but after reboot I don't get any of the rules applied until I manually run systemctl start iptables.

As far as I can tell, everything's set up as it should be, but I'm new to both Arch and systemd.  Any pointers where to look next?

Offline

#8 2016-11-16 21:25:45

mullerivan
Member
Registered: 2016-11-16
Posts: 1
Website

Re: Ensure that the firewall rules are activated every time you restart

i just setting my system up
what i done so far is :
Create a file on    /etc/iptables/iptables.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [251:34691]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
COMMIT

then i done


systemctl enable iptables.service

and works  well for me smile

to check you can  do sudo iptables -nL

Offline

Board footer

Powered by FluxBB