iptables default policy

Hi all,

I have created a script with iptables commands and sysmlink it to
/etc/rc2.d/S22iptables. It comes up after reboot and work very well.

My question now. What happend if the script is NOT executed during
boot process. Maybe the hard disk is corrupt only at the point where
the iptables script is located. All other things comes up and the
server works. Now the server is without protection, isn't it?

It seems that the default iptables policy is ACCEPT all. And if I not
execute a script with iptables commands, no firewall acctually exist.

Second question. Can I set up iptables that by default all things are
rejected or droped? It would be very nice if I can this without any
script, the reson for this is mention above.

You are welcome to leave any comment/suggestions/...

crowl wrote:
> Hi all,
>
> I have created a script with iptables commands and sysmlink it to
> /etc/rc2.d/S22iptables. It comes up after reboot and work very well.
>
> My question now. What happend if the script is NOT executed during
> boot process. Maybe the hard disk is corrupt only at the point where
> the iptables script is located. All other things comes up and the
> server works. Now the server is without protection, isn't it?
>
> It seems that the default iptables policy is ACCEPT all. And if I not
> execute a script with iptables commands, no firewall acctually exist.
>
> Second question. Can I set up iptables that by default all things are
> rejected or droped? It would be very nice if I can this without any
> script, the reson for this is mention above.
>
> You are welcome to leave any comment/suggestions/...

You can put the settings in the "/etc/sysconfig/iptables-config" file.

Randy Ramsdell <me@somewhere.else> wrote in message news:<UvidnRQPhaXQ6U3dRVn-hA@comcast.com>...
> crowl wrote:
> > Hi all,
> >
> > I have created a script with iptables commands and sysmlink it to
> > /etc/rc2.d/S22iptables. It comes up after reboot and work very well.
> >
> > My question now. What happend if the script is NOT executed during
> > boot process. Maybe the hard disk is corrupt only at the point where
> > the iptables script is located. All other things comes up and the
> > server works. Now the server is without protection, isn't it?
> >
> > It seems that the default iptables policy is ACCEPT all. And if I not
> > execute a script with iptables commands, no firewall acctually exist.
> >
> > Second question. Can I set up iptables that by default all things are
> > rejected or droped? It would be very nice if I can this without any
> > script, the reson for this is mention above.
> >
> > You are welcome to leave any comment/suggestions/...
>
> You can put the settings in the "/etc/sysconfig/iptables-config" file.

I have no file /etc/sysconfig/iptables-config. I'm running debian. I
assume that this is only a script file which has the same effect as my
/etc/rc2.d/S22iptables file.

What I'm looking for is a config file, not a script!

find / -name iptable* -print shows the following:
/lib/modules/2.4.18-bf2.4/kernel/net/ipv4/netfilter/iptable_filter.o
/lib/modules/2.4.18-bf2.4/kernel/net/ipv4/netfilter/iptable_mangle.o
/lib/modules/2.4.18-bf2.4/kernel/net/ipv4/netfilter/iptable_nat.o
/lib/iptables
/usr/share/doc/iptables
/usr/share/man/man8/iptables-save.8.gz
/usr/share/man/man8/iptables-restore.8.gz
/usr/share/man/man8/iptables.8.gz
/usr/share/lintian/overrides/iptables
/usr/doc/iptables
/sbin/iptables-save
/sbin/iptables
/sbin/iptables-restore
/etc/init.d/iptables
/etc/default/iptables
/var/lib/dpkg/info/iptables.config
/var/lib/dpkg/info/iptables.list
/var/lib/dpkg/info/iptables.templates
/var/lib/dpkg/info/iptables.postinst
/var/lib/dpkg/info/iptables.prerm
/var/lib/dpkg/info/iptables.postrm
/var/lib/dpkg/info/iptables.conffiles
/var/lib/dpkg/info/iptables.md5sums
/var/lib/iptables
/var/cache/man/cat8/iptables.8.gz

iptables --list shows the following if no iptables script run before:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Where can I change this default chains? I assume this is only possible
in compiling your owen iptable_filter module, isn't it?

Thanks for help.

crowl wrote:
> Randy Ramsdell <me@somewhere.else> wrote in message news:<UvidnRQPhaXQ6U3dRVn-hA@comcast.com>...
>
>>crowl wrote:
>>
>>>Hi all,
>>>
>>>I have created a script with iptables commands and sysmlink it to
>>>/etc/rc2.d/S22iptables. It comes up after reboot and work very well.
>>>
>>>My question now. What happend if the script is NOT executed during
>>>boot process. Maybe the hard disk is corrupt only at the point where
>>>the iptables script is located. All other things comes up and the
>>>server works. Now the server is without protection, isn't it?
>>>
>>>It seems that the default iptables policy is ACCEPT all. And if I not
>>>execute a script with iptables commands, no firewall acctually exist.
>>>
>>>Second question. Can I set up iptables that by default all things are
>>>rejected or droped? It would be very nice if I can this without any
>>>script, the reson for this is mention above.
>>>
>>>You are welcome to leave any comment/suggestions/...
>>
>>You can put the settings in the "/etc/sysconfig/iptables-config" file.
>
>
> I have no file /etc/sysconfig/iptables-config. I'm running debian. I
> assume that this is only a script file which has the same effect as my
> /etc/rc2.d/S22iptables file.
>
> What I'm looking for is a config file, not a script!
>
> find / -name iptable* -print shows the following:
> /lib/modules/2.4.18-bf2.4/kernel/net/ipv4/netfilter/iptable_filter.o
> /lib/modules/2.4.18-bf2.4/kernel/net/ipv4/netfilter/iptable_mangle.o
> /lib/modules/2.4.18-bf2.4/kernel/net/ipv4/netfilter/iptable_nat.o
> /lib/iptables
> /usr/share/doc/iptables
> /usr/share/man/man8/iptables-save.8.gz
> /usr/share/man/man8/iptables-restore.8.gz
> /usr/share/man/man8/iptables.8.gz
> /usr/share/lintian/overrides/iptables
> /usr/doc/iptables
> /sbin/iptables-save
> /sbin/iptables
> /sbin/iptables-restore
> /etc/init.d/iptables
> /etc/default/iptables
> /var/lib/dpkg/info/iptables.config
> /var/lib/dpkg/info/iptables.list
> /var/lib/dpkg/info/iptables.templates
> /var/lib/dpkg/info/iptables.postinst
> /var/lib/dpkg/info/iptables.prerm
> /var/lib/dpkg/info/iptables.postrm
> /var/lib/dpkg/info/iptables.conffiles
> /var/lib/dpkg/info/iptables.md5sums
> /var/lib/iptables
> /var/cache/man/cat8/iptables.8.gz
>
> iptables --list shows the following if no iptables script run before:
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Where can I change this default chains? I assume this is only possible
> in compiling your owen iptable_filter module, isn't it?
>
> Thanks for help.

Ok, you want to change the fail-safe mode of iptables.I am not sure how
to do that, but It is an interesting question.. I think you are right,
but isn't iptables part of the kernel? I think it would take finding the
source an manually editing it, then recopiling the kernel.

BTW the file I mentioned above is from RH and is an input file for a
iptables script which is default on RH systems.