when to start IPTables in RH9

I have an RH9 Linux system running as Router/FW.
IPTables 1.2.9 on it and running happily.

Would the following be a sound idea, as to maintainablility of the
IPTables rules and the effectiveness and security of the FW:


Immediately after the running of a script in /etc/rc3.d a partial
IPTables script must run, to open up the FW for any necessary
ports/protocols/etc. related to that /etc/rc3.d script.

example and problem:

just after running the /etc/rc.d/init.d/named script, the FW must be
opened for protocol UDP/port 53.
If it is not opened, the subsequent ntpd script would not work, for it
opens the FW for a few timeservers, not given by IP number, but by
FQN. And it would log a few packet refusals, if not opened
immediately.

same goes for other servers, that need specific ports open. (Or, more
general, need specific IPTables rules effective): samba, apache,
sendmail...

For this, I would make a parallel directory for the partial IPTables
scripts (eg. /etc/rc.d/iptables/S08named), which would be controlled
by a mechanism incorporated in the /etc/rc.d mechanism (S08named
things)


Question is, how would I incorporate this parallel mechanism in the
startup scripts and where ?

fr gr
Erik

Erik wrote:
> I have an RH9 Linux system running as Router/FW.
> IPTables 1.2.9 on it and running happily.
>
> [snip]
>
> For this, I would make a parallel directory for the partial IPTables
> scripts (eg. /etc/rc.d/iptables/S08named), which would be controlled
> by a mechanism incorporated in the /etc/rc.d mechanism (S08named
> things)
>
> Question is, how would I incorporate this parallel mechanism in the
> startup scripts and where ?

RH and Fedora already have an init script for iptables which loads rules
from /etc/sysconfig/iptables. You don't have to change it or create
another one. Just edit /etc/sysconfig/iptables.

On Sun, 25 Jul 2004 14:22:40 GMT, the right honourable Allen Kistler
<ackistler@oohay.moc> wrote:

>Erik wrote:
>> I have an RH9 Linux system running as Router/FW.
>> IPTables 1.2.9 on it and running happily.
>>
>> [snip]
>>
>> For this, I would make a parallel directory for the partial IPTables
>> scripts (eg. /etc/rc.d/iptables/S08named), which would be controlled
>> by a mechanism incorporated in the /etc/rc.d mechanism (S08named
>> things)
>>
>> Question is, how would I incorporate this parallel mechanism in the
>> startup scripts and where ?
>
>RH and Fedora already have an init script for iptables which loads rules
>from /etc/sysconfig/iptables. You don't have to change it or create
>another one. Just edit /etc/sysconfig/iptables.

Yes I know that one. It's just a basic script, that loads at ONE
specific moment during startup.
So, my problem as described above, remains: how to implement a scheme
that opens th FW for certain ports at specific moments:

open the DNS ports right after starting named
open the SAMBA ports just after starting SAMBA
open the NTP ports right after starting the time server
etc.

The problem lies mainly in the use of FQDN in IPTables and ntpd...

frgr
Erik