All network services (ftp, apache, samba, ....) should have "use iptables" in their depend() section. Security should be tightened before starting the service. Actually a better solution would be to add the "use iptables" to the "net" service so that when the machine goes online, the firewall is already correctly setup. This would have the added advantage to not have to add the "use iptables" to all and every network services but only one.
you cant add 'use iptables' to net because what if your rules involve hostnames ? or interfaces ? they would all fail ... not to mention iptables 'needs net' :) az: any thoughts ? or should we just change all the init.d scripts ?
> not to mention iptables 'needs net' :) Well yah! But I guess this line could be deleted, couldn't it? ;) > should we just change all the init.d scripts ? I personnaly don't like this solution but "iptables" could be renamed into "00iptables" or something like that to ensure that it's loaded before the other services. > you cant add 'use iptables' to net because what if your rules involve > hostnames ? or interfaces ? they would all fail ... Is it good for a firewall to use hostnames instead of IPs anyway? As for interfaces, yes. But right now the iptables script doesn't :D. And if people do need this feature (DHCP clients I guess), they could modify their own config to load net before iptables. It could be documented in the install guide to make it clear (as well as suggesting them to renamed the script to ensure proper loading order) and that would help make them think about the implications :).
Daniel, if you dont maintain the script, please reassign to whoever. SpanKY, this is exactly why I did not want to add an iptables rc-script in the first place :P My take on it is its very setup specific. It should work fine for most, but maybe add a comment that state you should mod the deps according to have it start before/after net.eth0, or maybe have an if in its depend() ?
Created attachment 7871 [details] Simple script for initialising iptables the first time. Originally, when there wasn't an /etc/init.d/iptables script, I had created my own very simple init.d/iptables script. At the time, it made sense to me for Gentoo not to have such a script at all as each user has their own unique situation. During this period, the general installation process I followed was to: 1) Create a one time iptables initiialization script. 2) Add a simple minded /etc/init.d/iptables script. 3) Modify other init.d scripts to depend on my /etc/init.d/iptables script as needed. When you guys added your much more professional /etc/init.d/iptables and matching /etc/conf.d/iptables scripts, this had no negative impact on me because my iptables settings were already initialized and your scripts simply perserved my existing settings. On my systems, iptables is always loaded after net and before everything else. I'd suggest that perhaps this should be treated more as a documentation issue than anything else. Specifically, there should be a section in the Installation Guide referring to iptables. Further, a reference to an iptables document could be made in the same way that the Desktop Installation Guide refers to the installation of alsa. The secondary iptables document could include an iptables initialization script similar to the one I've provided here with a discussion of what other init.d scripts to possibly modify depending on when the user wants iptables to start. The included script has many comments specifically geared to n00bs. Perhaps some referrences to both Daniel's iptables articles as well as other HOW-TO documents could also be included. Anyway, I hope this helps. If you want, I could probably take a first cut at providing a secondary iptables document.
how about before * ?
This bug is very similar to #27087, which I opened a while ago not knowing that the same issue was basically being fought out here. Since there seems to be a lot of confusion on what iptables is, what it does, and where it belongs in the initialization order, I will post some clarification below. No network service should really on iptables
This bug is very similar to #27087, which I opened a while ago not knowing that the same issue was basically being fought out here. Since there seems to be a lot of confusion on what iptables is, what it does, and where it belongs in the initialization order, I will post some clarification below. No network service should really on iptables instead, they should depend on networking (if they need it), which gets initialized after iptables iff iptables is being used. iptables initialization belongs before net and probably use logger (instead of need logger). Hopefully I can help to clarify why that is. First of all, iptables does not and has never used hostname resolution as part of its primary functionality. In fact, iptables does not really use hostname resolution at all, except in some very specific cases: 1) During '#iptables -L', it will do reverse-lookup for IPs unless you specify -n. 2) iptables will forward-lookup hostnames and convert them to IP addresses for you when you add a rule. This is a convenience/laziness feature for users. The input is NOT stored as hostnames at kernel level for reasons that should be obvious to everyone. You cannot do things like #iptables A INPUT s *.foobar.com j DROP. iptables requires IP addresses. iptables in the kernel never uses DNS (nothing in the kernel uses hostname resolution, afaik), and iptables userland tools only use it as a convenience feature for better user input/output. This should be a non-issue. Another common misconception: can you write a rule for an interface before the interface exists? The answer is yes, and you should. iptables does not care whether an interface exists or not. If interface eth16 does not exist, it will simply not match anything with '-i eth16' in the rule. It is perfectly normal (and expected) for iptables to be initialized *before* the network services are available, so that there will never be a time that the interface is not firewalled/filtered. This prevents attacks that may compromise a server between network initialization and iptables initialization; I know this is probably not more than a few seconds, but if a service fails to load it may also delay iptables. Im sure nobody wants to have their server sitting vulnerable with portmap unfiltered while sendmail chokes because it cant resolve a hostname (this is just an example, please dont respond with something about /etc/hosts.* youre missing the point). It is also perfectly normal for iptables to have an rc/init.d script. This is what the authors intended when they wrote the programs 'iptables-save' and 'iptables-restore'. Those programs are meant to be help distribution maintainers with initializing and saving (at shutdown or whenever) of the iptables firewall setup. It is irrational to expect users to write their own iptables initscript when this work has already been done. There are also performance reasons to use iptables-save, since (from my understanding) iptables will prioritize the tables based on the usage statistics it saves (number of packets/bytes matched). The only current issue is this the iptables initscript may also try to start forwarding if ENABLE_FORWARDING_IPv4 is 1 in conf.d/iptables. What is the solution? We should remove this option from the iptables initscript and put it somewhere else, probably in init.d/net*. Forwarding/routing and firewalling are two very distinct things. iptables is not about forwarding/routing, it is about firewalling and packet mangling. Here is a free clue for the newbies: NAT is NOT ROUTING. NAT is a specialized form of state-full packet mangling. NATing a packet does *not* determine (unless you make specific routes using ip2tc for your hosts address) what a packets next-hop will be. iptables is not explicitly involved in routing decisions. iptables can determine what does and does not get routed (filtering, using the FORWARD chain), but it is not involved in the actual routing itself; this is done by separate mechanisms within the kernel. The ENABLE_FORWARDING_IPv4 option really belongs in the conf.d/net script (or conf.d/net.* or wherever). This is also a good place to put things like rp_filter, and other options that depend on the interface existing before they can be initialized. I will post a modified iptables initscript in bug #27087 and probably start another bug to set forwarding in init.d/net, where it belongs, instead of in init.d/iptables. Please follow-up in those bugs. Best regards, -- mcf
Az: This can be closed now, as iptables now have before net in its initscript.
old bug ... open new ones for specific packages if need be
