service iptables save, systemctl, and unhelpful error messages

[Reindl Harald]

Am 15.02.2012 15:45, schrieb "Jóhann B. Guðmundsson":
> Experienced admins dont use service iptables blah anyway ( they use iptables commands directly ) so it hardly
> matters to them documentation should however be updated for those that actually use service iptables blah to point
> this out so you should file a DOC bug for it.

they do because they found out how to built their complete rules
years ago with a script and how to save the rules to apply them
at tnext reboot by

[root at testserver:~]$ service iptables help
Verwendung: iptables {start|stop|restart|condrestart|status|panic|save}
______________________

# Skript-Konfiguration
export IPTABLES="/sbin/iptables"
IPTABLES_SAVE="/sbin/service iptables save"
LOUNGE_WAN="91.118.73.0/24"
RHSOFT_LOCAL="84.113.45.179"
RHSOFT_ARRAKIS="84.113.45.132"
RHSOFT_TESTSERVER="84.113.45.81"
HOST="192.168.196.1"

echo "Setze Regeln zurueck"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -X
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS; do $IPTABLES -t $i -F; done && echo "Flush OK" || echo "Flush FAILED"
for i in $CHAINS; do $IPTABLES -t $i -X; done && echo "Clear OK" || echo "Clear FAILED"
for i in $CHAINS; do $IPTABLES -t $i -Z; done
echo ""

echo "Blockiere Traffic zu Beginn"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
echo ""

echo "OS-Fingerprinting/Invalide Pakete blockieren"
$IPTABLES -A INPUT ! -i lo -m state --state INVALID -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp -m state --state NEW --dport 0 -j DROP
$IPTABLES -A INPUT ! -i lo -p udp -m state --state NEW --dport 0 -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,URG URG -j DROP
echo "Neue Verbindungen ohne SYN-Flag verwefen"
$IPTABLES -A INPUT ! -i lo -p tcp ! --syn -m state --state NEW -j DROP
echo "Eingehende Fragmente verwerfen"
$IPTABLES -A INPUT ! -i lo -f -j DROP
echo "IP-Spoofing des Loopback-Device verhindern"
$IPTABLES -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP
echo ""

echo "Loopback erlauben"
$IPTABLES -A INPUT -i lo -j ACCEPT
echo ""

echo "Ausgehende Pakete erlauben"
$IPTABLES -P OUTPUT ACCEPT
echo ""

echo "Antwortpakete erlauben"
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "SSH aus allen Netzen erlauben, Rate-Control"
echo "10022"
$IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --syn --state NEW --dport 10022 -m limit --limit 15/minute
--limit-burst 15 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --syn --state NEW --dport 10022 -j REJECT --reject-with icmp-host-unreachable
echo ""

echo "HTTP-Ports aus rhsoft/thelounge-Netzwerken erlauben"
echo "TCP 80,443"
$IPTABLES -A INPUT -p tcp -s $LOUNGE_WAN -m multiport --destination-port 80,443 -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $RHSOFT_LOCAL -m multiport --destination-port 80,443 -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $RHSOFT_ARRAKIS -m multiport --destination-port 80,443 -m state --state NEW --syn -j
ACCEPT
$IPTABLES -A INPUT -p tcp -s $RHSOFT_TESTSERVER -m multiport --destination-port 80,443 -m state --state NEW --syn
-j ACCEPT
echo ""

echo "Mail-Ports aus rhsoft/thelounge-Netzwerken erlauben"
echo "TCP 25,587,465,143,993,2000"
$IPTABLES -A INPUT -p tcp -s $LOUNGE_WAN -m multiport --destination-port 25,587,465,143,993,2000 -m state --state
NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $RHSOFT_LOCAL -m multiport --destination-port 25,587,465,143,993,2000 -m state --state
NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $RHSOFT_ARRAKIS -m multiport --destination-port 25,587,465,143,993,2000 -m state
--state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $RHSOFT_TESTSERVER -m multiport --destination-port 25,587,465,143,993,2000 -m state
--state NEW --syn -j ACCEPT
echo ""

echo "AFP aus rhsoft/thelounge-Netzwerken erlauben"
echo "TCP 548"
$IPTABLES -A INPUT -p tcp --sport 1024:65535 -s $LOUNGE_WAN --dport 548 -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 1024:65535 -s $RHSOFT_LOCAL --dport 548 -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 1024:65535 -s $RHSOFT_ARRAKIS --dport 548 -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 1024:65535 -s $RHSOFT_TESTSERVER --dport 548 -m state --state NEW --syn -j ACCEPT
echo ""

echo "Ping aus bekannten Netzwerken erlauben"
$IPTABLES -A INPUT -p icmp -s $LOUNGE_WAN --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $RHSOFT_LOCAL --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $RHSOFT_ARRAKIS --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $RHSOFT_TESTSERVER --icmp-type 8 -j ACCEPT

echo "Ping aus fremden Netzwerken unterdruecken"
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j REJECT --reject-with icmp-host-unreachable

echo "Alle anderen Ports abweisen"
$IPTABLES -A INPUT -j REJECT --reject-with icmp-host-unreachable
echo ""

$IPTABLES_SAVE

echo ""
MY_TIME=$(date "+%d-%m-%Y %H:%M:%S")
echo "$MY_TIME  Firewall-Konfiguration wurde aktualisiert" >> /var/log/scriptlog
echo ""

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120215/0d570355/attachment.sig>