Arch Linux

MutantJohn

Member

Registered: 2012-12-17

Posts: 95

Ensure that the firewall rules are activated every time you restart

I'm trying to set up a server and the Getting Started guide recommends doing this but it doesn't have Arch-specific instructions. How do I go about doing this?

The Debian/Ubuntu way which seems simple to me is :

sudo nano /etc/network/if-pre-up.d/firewall

and then copy this into the file :

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

And then making it executable for the current user/group.

Will this work on Arch? I'm just trying to be cautious.

What's the Arch way for re-instating rules upon a complete reboot of the system?

lucke

Member

From: Poland

Registered: 2004-11-30

Posts: 4,018

Re: Ensure that the firewall rules are activated every time you restart

Well, there's iptables-save and there's

$ cat /usr/lib/systemd/system/iptables.service                                                                                                                   [~]
[Unit]
Description=Packet Filtering Framework

[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Last edited by lucke (2015-01-20 21:42:59)

MutantJohn

Member

Registered: 2012-12-17

Posts: 95

Re: Ensure that the firewall rules are activated every time you restart

Hmm.. I think I'm too dumb/new at this to get what you mean. I've literally never done this stuff before.

lucke

Member

From: Poland

Registered: 2004-11-30

Posts: 4,018

Re: Ensure that the firewall rules are activated every time you restart

"iptables-save > /etc/iptables/iptables.rules" would save your current iptables rules to /etc/iptables/iptables.rules. Enabling iptables.service would load them on boot.

MutantJohn

Member

Registered: 2012-12-17

Posts: 95

Re: Ensure that the firewall rules are activated every time you restart

"iptables-save > /etc/iptables/iptables.rules" would save your current iptables rules to /etc/iptables/iptables.rules. Enabling iptables.service would load them on boot.

Thank you so much!

bleach

Member

Registered: 2013-07-26

Posts: 264

Re: Ensure that the firewall rules are activated every time you restart

Something I do is one enable iptables service (arch uses systemd) and then after done creating my tables rules I also create a alias

iptables=/etc/iptables/iptables.rules && iptables-save > /etc/iptables/iptables.rules && systemctl restart iptables

and call it something like ipreup or what ever.

Last edited by bleach (2015-01-21 01:50:38)

jonm

Member

Registered: 2015-05-11

Posts: 1

Re: Ensure that the firewall rules are activated every time you restart

This is not working for me.  I have:

/usr/lib/systemd/system/iptables.service contents exactly as detailed above.
/etc/iptables/iptables.rules contains valid rules which are applied when I run systemctl start iptables.

I have run systemctl enable iptables, but after reboot I don't get any of the rules applied until I manually run systemctl start iptables.

As far as I can tell, everything's set up as it should be, but I'm new to both Arch and systemd.  Any pointers where to look next?

mullerivan

Member

Registered: 2016-11-16

Posts: 1

Website

Re: Ensure that the firewall rules are activated every time you restart

i just setting my system up
what i done so far is :
Create a file on    /etc/iptables/iptables.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [251:34691]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
COMMIT

then i done

systemctl enable iptables.service

and works  well for me

to check you can  do sudo iptables -nL