Iptables not saving...

Devon Harding devonharding at gmail.com
Sat May 6 17:42:10 UTC 2006 

Any other options on getting this to work?

On 4/24/06, Devon Harding <devonharding at gmail.com> wrote:
> On 4/24/06, Tim <ignored_mailbox at yahoo.com.au> wrote:
> > Be advised that top posting, and using HTML, is a sure-fire way to avoid
> > getting help on a mailing list.  There may well be someone out there who
> > might have the answer to all your woes, but dumps any messages posted
> > that way.
> >
> >
> >
> >
> > On Sun, 2006-04-23 at 09:34 -0400, Devon Harding wrote:
> > > The reason I want the chains saved, is because I'm uning sshdblackd
> > > (http://www.sshblack.com) to block failed ssh attempts on my box
> >
> > Considering this snippet from the website (below), I'm not sure that
> > saving the tables is a necessary step, nor perhaps even a good one.
> >
> > "The blacklist is simply a list of source IP addresses that are
> > prohibited from making ssh connections to the protected host. Once a
> > predetermined amount of time has passed, the offending IP address is
> > removed from the blacklist."
> >
> > > Here is everything that I did manually...
> > >
> > > [root at mars ~]# iptables -L
> > > Chain INPUT (policy ACCEPT)
> > > target     prot opt source               destination
> > > ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
> > > ACCEPT     all  --  anywhere             anywhere
> > > BLACKLIST  tcp  --  anywhere             anywhere            tcp dpt:ssh
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target     prot opt source               destination
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target     prot opt source               destination
> > >
> > > Chain BLACKLIST (1 references)
> > > target     prot opt source               destination
> > > DROP       all  --  uo82.internetdsl.tpnet.pl  anywhere
> >
> > If you're trying to keep a tight rein on SSH, I'd expect you to only
> > allow it through a range of predetermined IPs, even if you are taking
> > this approach of automatically blackbanning some IPs.
> >
> >
> > > [root at mars ~]# cat /etc/cron.hourly/iptables.cron
> > > #!/bin/sh
> > > /sbin/iptables-save >/dev/null 2>&1
> >
> > As you should see from your next sample output, iptables-save dumps to
> > standard out.  You want to direct its output to where iptables normally
> > keeps its rules, otherwise you'll be "saving" nothing.
> >
> > If FC5 still uses the same place as FC4, I think you'll want to use the
> > iptables-save command more like how I mentioned it near the bottom of my
> > prior posting.
> >
> > e.g. #!/bin/sh
> >      /sbin/iptables-save > /etc/sysconfig/iptables
> >
> > Though, I think you could avoid having to do that just by having
> > iptables save its configuration at shutdown.  At next bootup, it'll pick
> > up from there, without needing a regular save.
> >
> > > [root at mars ~]# /sbin/iptables-save
> > > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:24:51 2006
> > > *filter
> > > :INPUT ACCEPT [19025:2595521]
> > > :FORWARD ACCEPT [0:0]
> > > :OUTPUT ACCEPT [691823:184550717]
> > > :BLACKLIST - [0:0]
> > > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > > -A INPUT -i lo -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
> > > -A BLACKLIST -s 80.55.144.82 -j DROP
> > > COMMIT
> > > # Completed on Sun Apr 23 09:24:51 2006
> >
> > *Showing* you what it *would* save.  You have to direct its output to a
> > file to really save it.
> >
> > > [root at mars ~]# cat /etc/sysconfig/iptables
> > > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:01:15 2006
> > > *filter
> > > :INPUT ACCEPT [18650:2543690]
> > > :FORWARD ACCEPT [0:0]
> > > :OUTPUT ACCEPT [690115:184341112]
> > > :BLACKLIST - [0:0]
> > > [664430:180357913] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > > [3365:200808] -A INPUT -i lo -j ACCEPT
> > > [6:360] -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
> > > [3:180] -A BLACKLIST -s 80.55.144.82 -j DROP
> > > COMMIT
> > > # Completed on Sun Apr 23 09:01:15 2006
> >
> > At this point you should notice that the saved configuration is not the
> > same as your example above it.  The saved configuration is something
> > that was saved beforehand.
> >
> > But here (below) you're striking another problem:
> >
> > > [root at mars ~]# reboot
> > >
> > > Last login: Sun Apr 23 09:20:19 2006 from pluto.domain.com
> > > [root at mars ~]# iptables -L
> > > Chain INPUT (policy ACCEPT)
> > > target     prot opt source               destination
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target     prot opt source               destination
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target     prot opt source               destination
> >
> > Are you running more than one firewall program?  Some can fight with
> > each other.
> >
> > It might be worth trying turning that IPTABLES_SAVE_ON_RESTART="yes"
> > back to "no", in case there's fault where a "start" gets treated the
> > same as a "restart", and saves empty tables.
> >
> > --
> > (Currently running FC4, occasionally trying FC5.)
> >
> > Don't send private replies to my address, the mailbox is ignored.
> > I read messages from the public lists.
> >
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> >
>
> I tried setting the script as described above & change the
> /etc/sysconfig/iptables-config, but still get the same results on
> reboot:
>
> [root at mars ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>

More information about the users mailing list