0

I'm initializing my iptables rules via /etc/network/if-pre-up.d/iptables, using iptables-restore. This works fine, but I'm a bit worried about what would happen, if that script failed for some reason (maybe the saved iptables file is corrupt or whatever).

In case the script failed, I'd like to:

  • Start up my network interfaces without any iptables rules
  • Start up OpenSSH server
  • But not any other services like web server, ... (and maybe stop running instances)

Is there a good canonical way to do that? Going into a lower init stage? - I haven't done that in a long time, and I think that a lot about init has changed in recent years (?) - which stage should I drop to, and would the OpenSSH server and my network interfaces still run?

Thanks

Chris

(On Debian Lenny)

Chris Lercher
  • 4,152
  • 9
  • 35
  • 41

2 Answers2

1

Maybe you could do this by looking at the iptables-restore return code, something like this:

iptables-restore < /path/to/iptables.rules
if [ $? -ne 0 ]; then
    iptables -P INPUT DROP
    iptables -A INPUT -p tcp -i $INTERFACE --dport 22 -j ACCEPT
fi

this way, if your rules fail to load, iptables would drop all incoming connections except for ssh.

mdeous
  • 398
  • 3
  • 11
  • Yeah, now that I see your script, I like it :-) Especially because you write the DROP policy first - just in case. There's just that small fear inside somewhere of me, that iptables itself might fail, but when I think about it, that's very very unlikely, isn't it? – Chris Lercher Mar 18 '10 at 01:47
  • yes, i don't see any reason for iptables to fail – mdeous Mar 18 '10 at 12:33
1

I've never tried this, but another solution that comes to mind is to bind your external services to an internal IP that's not routable at all, even the loopback would probably work. Then, as the last rules in your saved IP Tables configuration, setup a transparent proxy to the local service.

If IP tables fails to come up, you just don't wire up your services. If it does come up, your services just become available.

The only system you leave out of this configuration is SSH, that way you have that out-of-band management.

Of course, your service logs would all have the wrong source IP. I guess this would cover that corner case, though.

McJeff
  • 2,039
  • 13
  • 11
  • Thanks. Actually, I think iptables-restore is atomic, so it doesn't matter where the rules are placed. Double check that, though. – McJeff Mar 18 '10 at 04:17