The reason I want the chains saved, is because I'm uning sshdblackd (<a href="http://www.sshblack.com/">http://www.sshblack.com)</a> to block failed ssh attempts on my box<br><br>Here is everything that I did manually...<br>
<br>[root@mars ~]# iptables -L<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED <br>
ACCEPT all -- anywhere anywhere <br>BLACKLIST tcp -- anywhere anywhere tcp dpt:ssh <br><br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination
<br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination <br><br>Chain BLACKLIST (1 references)<br>target prot opt source destination <br>DROP all --
<a href="http://uo82.internetdsl.tpnet.pl">uo82.internetdsl.tpnet.pl</a> anywhere <br>[root@mars ~]# cat /etc/cron.hourly/iptables.cron <br>#!/bin/sh<br>/sbin/iptables-save >/dev/null 2>&1<br>[root@mars
~]# /sbin/iptables-save<br># Generated by iptables-save v1.3.5 on Sun Apr 23 09:24:51 2006<br>*filter<br>:INPUT ACCEPT [19025:2595521]<br>:FORWARD ACCEPT [0:0]<br>:OUTPUT ACCEPT [691823:184550717]<br>:BLACKLIST - [0:0]<br>
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <br>-A INPUT -i lo -j ACCEPT <br>-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST <br>-A BLACKLIST -s <a href="http://80.55.144.82">80.55.144.82</a> -j DROP <br>COMMIT
<br># Completed on Sun Apr 23 09:24:51 2006<br>[root@mars ~]# cat /etc/sysconfig/iptables<br># Generated by iptables-save v1.3.5 on Sun Apr 23 09:01:15 2006<br>*filter<br>:INPUT ACCEPT [18650:2543690]<br>:FORWARD ACCEPT [0:0]
<br>:OUTPUT ACCEPT [690115:184341112]<br>:BLACKLIST - [0:0]<br>[664430:180357913] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <br>[3365:200808] -A INPUT -i lo -j ACCEPT <br>[6:360] -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
<br>[3:180] -A BLACKLIST -s <a href="http://80.55.144.82">80.55.144.82</a> -j DROP <br>COMMIT<br># Completed on Sun Apr 23 09:01:15 2006<br>[root@mars ~]# reboot <br><br>Broadcast message from root (pts/0) (Sun Apr 23 09:25:40 2006):
<br><br>The system is going down for reboot NOW!<br>[root@mars ~]# <br><br>Last login: Sun Apr 23 09:20:19 2006 from <a href="http://pluto.domain.com">pluto.domain.com</a><br>[root@mars ~]# iptables -L<br>Chain INPUT (policy ACCEPT)
<br>target prot opt source destination <br><br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination <br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination
<br>[root@mars ~]# <br><br><br><div><span class="gmail_quote">On 4/23/06, <b class="gmail_sendername">Tim</b> <<a href="mailto:ignored_mailbox@yahoo.com.au">ignored_mailbox@yahoo.com.au</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Sat, 2006-04-22 at 13:41 -0400, Devon Harding wrote:<br>> I have a cron.hourly script set up to save my iptables chains. When I<br>> reboot, the chain is empty & /etc/sysconfig/iptables contains the<br>> default settings.
<br>><br>> Here is /etc/cron.hourly/iptables.cron:<br>><br>> #!/bin/sh<br>> /etc/init.d/iptables save >/dev/null 2>&1<br><br>What about doing an "iptables-save" command, instead? (See near end of
<br>message.)<br><br>I would have thought that what you're doing saves them to the same place<br>that iptables loads its tables at boot time, but maybe you're getting<br>some strange race condition. And related to that, and in regards to
<br>another posting about "/etc/sysconfig/iptables-config", you might want<br>to look at the same parameters that are inside the<br>"/etc/sysconfig/iptables-config" file.<br><br>My /etc/sysconfig/iptables-config file is the default:
<br><br>IPTABLES_MODULES=""<br>IPTABLES_MODULES_UNLOAD="yes"<br>IPTABLES_SAVE_ON_STOP="no"<br>IPTABLES_SAVE_ON_RESTART="no"<br>IPTABLES_SAVE_COUNTER="no"<br>IPTABLES_STATUS_NUMERIC="yes"
<br><br>I have custom rules stored (once) in the default place iptables reads<br>from at boot time (*), they seem to get read fine.<br><br>* Stored by using: iptables-save > /etc/sysconfig/iptables<br><br>Something else that springs to mind: If you've got SELinux enabled,
<br>perhaps your CRON script needs appropriate SELinux contexts.<br><br>I am curious about why you need to keep saving the tables.<br><br>--<br>(Currently running FC4, occasionally trying FC5.)<br><br>Don't send private replies to my address, the mailbox is ignored.
<br>I read messages from the public lists.<br><br>--<br>fedora-list mailing list<br><a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a><br>To unsubscribe: <a href="https://www.redhat.com/mailman/listinfo/fedora-list">
https://www.redhat.com/mailman/listinfo/fedora-list</a><br></blockquote></div><br>