Comment 1 Chris PeBenito (RETIRED) 2002-05-02 15:02:00 UTC

Created attachment 784 [details]
/etc/init.d/iptables

Comment 2 Joachim Blaabjerg (RETIRED) 2002-05-03 10:58:37 UTC

Ah, great. If this gets accepted, I guess it would (at last) resolve bug #46 :)

Comment 3 Bruce A. Locke (RETIRED) 2002-05-16 23:57:58 UTC

Thanks for working on this long standing issue :)

The script looks fine itself except for setting everything as
ACCEPT on stop, which, in my opinion leaves your system wide open and isn't
acceptible.  Its too dangerous to be used in its current form as forwarding and
NAT should not be enabled by default if the firewall ruleset is flushed.

Idealy the script should also support both an iptables save format and a custom
firewall script stored in another file (like /etc/firewall.conf) or whatever to
make it more generic and useful.

Also an ipchains version would come in handy too... :)

Anyone interested? :)

Comment 4 Bruce A. Locke (RETIRED) 2002-05-16 23:58:44 UTC

*** Bug 46 has been marked as a duplicate of this bug. ***

Comment 5 Ben Lutgens (RETIRED) 2002-05-26 12:07:26 UTC

Added an initscript, conf.d file, and state directory (/var/lib/iptables/)
Install iptables-1.2.6a-r1 or higher to get the fix.

Comment 6 Bruce A. Locke (RETIRED) 2002-05-27 18:16:41 UTC

You flush the tables without making sure a conservative default policy is set...
isn't that a security issue?

Comment 7 Ben Lutgens (RETIRED) 2002-06-23 10:12:21 UTC

Not really since you shouldn't "stop" without a good reason. Generally I only
use "stop" when testing stuff so there's no point in worrying abotu the rules.
Just flush then and then restart. And if you're shutting down what's the
difference ;-) If you'd like to change it to be on the safe side by all means.

Comment 8 Ben Lutgens (RETIRED) 2002-07-21 13:18:02 UTC

added this to the tree many moons ago...

Comment 9 Bruce A. Locke (RETIRED) 2002-09-04 17:00:36 UTC

*** Bug 7463 has been marked as a duplicate of this bug. ***

Comment 10 Bruce A. Locke (RETIRED) 2002-09-04 17:01:42 UTC

I'll fix it in a day or two unless someone else wants to do it tonight.

Comment 11 Daniel Ahlberg (RETIRED) 2002-09-05 02:44:05 UTC

*** Bug 7404 has been marked as a duplicate of this bug. ***

Comment 12 Bruce A. Locke (RETIRED) 2002-09-08 16:00:44 UTC

Ok... I've made some improvements to the iptables initscript.  Forwarding is
only enabled if certain options are set in /etc/conf.d/iptables and _after_ the
previously saved iptables ruleset is reloaded.  On service shutdown, INPUT and
OUTPUT are set to ACCEPT and FORWARD is set to DROP.  Forwarding is disabled via
the proc interface.

The sysctl entry for forwarding should not be touched as its there to provide a
secure default for people not using the iptables script.  The ability to enable
forwarding is done as a config option for the iptables script.  Of course your
free not to use it (it doesn't add itself to your runlevel profiles) but then of
course worrying about such settings is your problem ;)

Checked in as 1.2.6a-r3 and 1.2.7a-r2.