I'd like to submit this rc script for the iptables package. It loads rules from /etc/iptables.conf using iptables-restore on start, clears the rules on stop. In addition to this it has a 'save', which uses iptables-save to create /etc/iptables.conf. [see attached]
Created attachment 784 [details] /etc/init.d/iptables
Ah, great. If this gets accepted, I guess it would (at last) resolve bug #46 :)
Thanks for working on this long standing issue :) The script looks fine itself except for setting everything as ACCEPT on stop, which, in my opinion leaves your system wide open and isn't acceptible. Its too dangerous to be used in its current form as forwarding and NAT should not be enabled by default if the firewall ruleset is flushed. Idealy the script should also support both an iptables save format and a custom firewall script stored in another file (like /etc/firewall.conf) or whatever to make it more generic and useful. Also an ipchains version would come in handy too... :) Anyone interested? :)
*** Bug 46 has been marked as a duplicate of this bug. ***
Added an initscript, conf.d file, and state directory (/var/lib/iptables/) Install iptables-1.2.6a-r1 or higher to get the fix.
You flush the tables without making sure a conservative default policy is set... isn't that a security issue?
Not really since you shouldn't "stop" without a good reason. Generally I only use "stop" when testing stuff so there's no point in worrying abotu the rules. Just flush then and then restart. And if you're shutting down what's the difference ;-) If you'd like to change it to be on the safe side by all means.
added this to the tree many moons ago...
*** Bug 7463 has been marked as a duplicate of this bug. ***
I'll fix it in a day or two unless someone else wants to do it tonight.
*** Bug 7404 has been marked as a duplicate of this bug. ***
Ok... I've made some improvements to the iptables initscript. Forwarding is only enabled if certain options are set in /etc/conf.d/iptables and _after_ the previously saved iptables ruleset is reloaded. On service shutdown, INPUT and OUTPUT are set to ACCEPT and FORWARD is set to DROP. Forwarding is disabled via the proc interface. The sysctl entry for forwarding should not be touched as its there to provide a secure default for people not using the iptables script. The ability to enable forwarding is done as a config option for the iptables script. Of course your free not to use it (it doesn't add itself to your runlevel profiles) but then of course worrying about such settings is your problem ;) Checked in as 1.2.6a-r3 and 1.2.7a-r2.