Ubuntu v8.10 Intrpid is the base system where I wish to execute IPTables when the NetworkManager Applet v0.7.0 is activated.

I have tried several different approaches with no joy.The principal tutorial considered was Ubuntu Community Iptables HowTo (https://help.ubuntu.com/community/IptablesHowTo)

The /etc/network/interfaces content is -


auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0
auto eth1
iface eth1 inet dhcp
pre-up iptables-restore < /etc/iptables.rules


I also attempted to configure the NetworkManager on startup as per the previous Ubuntu tutorial (https://help.ubuntu.com/community/IptablesHowTo) but was unsuccessful in implementing it.

Any tips or pointers would be most appreciated.

What is the problem exactly ?

What is the output of :


sudo iptables -L
sudo cat /etc/iptables.rules
sudo ifconfig

Thanks for your reply and apologises for the delay in getting back to you.

The problem is that IPTables doesn't automatically start when the system boots up, or alternatively when the system goes online!

Here is the info you were seeking -

> sudo iptables -L


Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT tcp -- anywhere anywhere multiport dports www,https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination



> sudo cat /etc/iptables.rules

# Generated by iptables-save v1.4.0 on Tue Mar 3 20:16:56 2009
*filter
:INPUT ACCEPT [9489:8461922]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11058:1546316]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT


> sudo ifconfig (the x's in the HWaddr and inet6 fields are used for privacy)

eth0 Link encap:Ethernet HWaddr 00:13:77:xx:xx:xx
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:22

eth1 Link encap:Ethernet HWaddr 00:12:f0:xx:xx:xx
inet addr:10.0.1.195 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::212:f0ff:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5839 errors:0 dropped:0 overruns:0 frame:0
TX packets:4768 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4726131 (4.7 MB) TX bytes:765259 (765.2 KB)
Interrupt:20 Base address:0xc000 Memory:b8002000-b8002fff

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:676 (676.0 B) TX bytes:676 (676.0 B)

The output you posted shows that iptables has been configured.
What makes you think it is not being configured automatically?

When I run this command at system startup

sudo iptables -L


It outputs the following

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

And this suggests that IPTables is not automatically starting upon system startup.

Can you suggest how to automatically start IPTables?

well, it is a small matter of semantics.

Iptables is built into the kernel and is running.

You need to configure it.

You can use ufw


sudo ufw enable

Uncomplicated Firewall - UFW - Community Ubuntu Documentation (https://help.ubuntu.com/community/Uncomplicated_Firewall_ufw)

there is a gui front end to ufw, gufw. You will need to install it.


sudo apt-get install gufw

Or you can use any number of gui tools. Guraddog, firestarter, etc.

Or you can learn iptables directly.

http://bodhizazen.net/Tutorials/iptables/

If you use iptables directly, then save and restore with iptables-save and iptables-retore (see the link I gave you on iptables).

Try using post-up instead of pre-up.
My guess is you have firestarter overwriting your iptables-restore after starting the interface.
If you are doing your own iptable manipulation, i think you need to ununstall firestarter/ufw.

Thanks for the replies guys as you have offered great advice.I seem to have misconveyed the topic as this help is not answering the actual question.

To clarify what it is that I am seeking help on. I would like to be able to start IPTabes automatically upon system startup, without using a GUI to configure it. The preference is to use the command line and or to use scripts to auto start IPTables.

If anyone can point towards this, then fantastic stuff!

To clarify what it is that I am seeking help on. I would like to be able to start IPTabes automatically upon system startup, without using a GUI to configure it. The preference is to use the command line and or to use scripts to auto start IPTables.

My last post directly answered this question. iptables is running. If you wish to use the command line use ufw.


sudo ufw enable

The links I gave you on ufw and iptables will give you additional details.

I took a closer look at the IPTables Guide (http://bodhizazen.net/Tutorials/iptables/) which seems very thorough and offer excellent advice.

Also it offers a pointer to where tips on using IPTable scripts can be found on the Ubuntu Forums (https://help.ubuntu.com/community/IptablesHowTo).

I have attempted the suggestions found on the Ubuntu Forums but to no success.There is one comment I would like to ask more detail on.


well, it is a small matter of semantics.

Iptables is built into the kernel and is running.

With IPTables running at system startup, how then can customised rules be loaded automatically?

Once I get iptables configured I use iptables-save and iptables-restore.

At the bottom of the guide (I know it is long, sorry)

http://bodhizazen.net/Tutorials/iptables/#Saving_your_configuration

Thank you for the tip on the /etc/rc.local directory as I've not tried that yet,but will with Ubuntu 8.10.

On the Xubuntu 8.10 system I've found a method via its desktop, not sure how this technique is been activated as it does automatically start the IPTables firewall at system bootup.

Desktop > Applications > Settings > Settings Manager > Autostart Apps. Here I added a command to execute a script which runs the the customised firewall rules.The command used is -


sudo /home/username/userscripts/iptables_rules.sh

And the script itself -


#!/bin/bash
# flush all chains
echo
echo "Starting IPTables now ..."
echo
iptables -F

# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT

# accept recongnised services
iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# ssl outbound
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

# mail tsl outbound
iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT

# mail ssl inbound
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop everything else
iptables -A INPUT -j DROP

# output to screen
echo
echo "Outputting current IPTables settings"
echo
iptables -L -v
echo

DNS uses udp , so you probably do not need to tcp rule for port 53.

Rather then setting the default policy for your INPUT chain to ACCEPT, then dropping everything at the end, just set the default policy to DROP.

I would also specify ports on this line :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Or at least source ports for traffic you wish to allow.


Otherwise , looks fine.

That script should be owned by root and only root should be able to write to that script.

You can simplify your process by first running the script.

Then :

First become root :

sudo -i

Then :


iptables-save > /etc/iptables.rules

Then open an editor as root:


gksu gedit /etc/rc.local

And add this line (above exit 0 )


iptables-restore < /etc/iptables.rules

Thank you for the last recommendation as it has worked,the IPTable rules now load automatically.These are the steps which worked -

Unload any existing rules from IPTables.I saved this script in my user directory with a ".sh" extension. Here is the script to reset the rules to allow all -



#!/bin/bash
echo
echo "Stopping firewall and allowing everyone..."
echo
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


The above script could be executed by using -


>/home/mydirectory/my_script_name.sh

Next edit IPTable rules and load them into IPtables.I did this in a text editor or you can use the command line. And the script for the new rules -



#!/bin/bash
# flush all chains
echo
echo "Starting IPTables now ..."
echo
iptables -F

# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT

# accept recongnised services
iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# ssl outbound
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

# mail tsl outbound
iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT

# mail ssl inbound
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop everything else
iptables -A INPUT -j DROP

# output to screen
echo
echo "Outputting current IPTables settings"
echo
iptables -L -v
echo


Set the execute privileges to all users,for these scripts using -


> sudo chmod +x /home/mydirectory/iptables_rules.sh

Then call the new rules script using -


> home/mydirectory/iptables_rules.sh


Next save the loaded rules to the IPTables default reference file and edit the auto start location using the following -



Become root:
>sudo -i

Then:
>iptables-save > /etc/iptables.rules

Then open an editor as root:
>gksu gedit /etc/rc.local

And add this line (above exit 0 ):
>iptables-restore < /etc/iptables.rules