FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-26-2012, 09:13 AM
Muhammad Yousuf Khan
 
Default iptables service with debian

i run this command

iptables -t nat -A POSTROUTING -o eth1 -d 8.8.4.4 -j MASQUERADE

my client computers able to ping 8.8.4.4

but when i "iptables --flush -t nat" it clrear the table but my
client can still ping the destination.
i check "iptables-save" is shows that tables are empty.
i thought that there could be some kind of service related to iptable
in /etc/init.d folder so that i can restart that but there are none.
and i notices after 5 minutes or so my clients computer were not able
to ping which means my commands affects after 5 minutes.

but i want prompt effect of every iptable command. is there any thing
that can be done in this regard ? pls help

one more thing what could be done to retain all the iptable statements
even after reboot. i think writing all the iptables command in
rc.local
is not a good idea. it is work around.

can any one plz help in this regard also.

Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAGWVfMmQK0uvzaF1jBGbG12Rzeq_O8Fszf=E-StvH8wgPLT-Cg@mail.gmail.com">http://lists.debian.org/CAGWVfMmQK0uvzaF1jBGbG12Rzeq_O8Fszf=E-StvH8wgPLT-Cg@mail.gmail.com
 
Old 04-26-2012, 09:38 PM
Joe
 
Default iptables service with debian

On Thu, 26 Apr 2012 14:13:28 +0500
Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:

> i run this command
>
> iptables -t nat -A POSTROUTING -o eth1 -d 8.8.4.4 -j MASQUERADE
>
> my client computers able to ping 8.8.4.4
>
> but when i "iptables --flush -t nat" it clrear the table but my
> client can still ping the destination.
> i check "iptables-save" is shows that tables are empty.
> i thought that there could be some kind of service related to iptable
> in /etc/init.d folder so that i can restart that but there are none.
> and i notices after 5 minutes or so my clients computer were not able
> to ping which means my commands affects after 5 minutes.
>
> but i want prompt effect of every iptable command. is there any thing
> that can be done in this regard ? pls help
>
> one more thing what could be done to retain all the iptable statements
> even after reboot. i think writing all the iptables command in
> rc.local
> is not a good idea. it is work around.
>
> can any one plz help in this regard also.
>

Iptables commands do work instantly, but state table entries may not
disappear until after their timeout. It has already been pointed out
that the MASQUERADE target is not appropriate for access control, so
you should not be too concerned if it does not work as you expect. If
you were to delete a real iptables access rule, there would be no delay.

I use iptables and its logging fairly regularly for troubleshooting,
which involves altering and repositioning rules to see what's going on,
and I know there is no delay after reloading the rules tables. If you
type an extra rule at a command prompt, it will work the instant you hit
return, assuming you have it right and it doesn't conflict with what
is already there. It's easier to add it to the script in the right
place, and reload the rules tables.

The usual way to organise iptables rules is to have a script that runs
as part of the boot sequence, usually also checking for the correct
modules, starting IP forwarding, etc. It isn't a workaround to run it
from an rc, how else do you think things are started on boot? If you
want something that looks like a daemon, it's not too hard to make a
start-stop script that will load and flush the iptables rules, check
which ruleset if any is currently running and generally work as a
pseudo-service. It's not something that Debian supplies, as a lot of
people prefer to use firewall applications rather than deal with raw
iptables rules.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120426223825.498d08ea@jretrading.com">http://lists.debian.org/20120426223825.498d08ea@jretrading.com
 
Old 04-27-2012, 07:06 AM
Muhammad Yousuf Khan
 
Default iptables service with debian

On Fri, Apr 27, 2012 at 2:38 AM, Joe <joe@jretrading.com> wrote:
> On Thu, 26 Apr 2012 14:13:28 +0500
> Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
>
>> i run this command
>>
>> iptables -t nat -A POSTROUTING -o eth1 -d 8.8.4.4 -j MASQUERADE
>>
>> my client computers able to ping 8.8.4.4
>>
>> but *when i "iptables --flush -t nat" *it clrear the table but my
>> client can still ping the destination.
>> i check "iptables-save" is shows that tables are empty.
>> *i thought that there could be some kind of service related to iptable
>> *in /etc/init.d *folder so that i can restart that but there are none.
>> and i notices after 5 minutes or so my clients computer were not able
>> to ping which means my commands affects after 5 minutes.
>>
>> but i want prompt effect of every iptable command. is there any thing
>> that can be done in this regard ? pls help
>>
>> one more thing what could be done to retain all the iptable statements
>> even after reboot. i think writing all the iptables command in
>> rc.local
>> is not a good idea. it is work around.
>>
>> can any one plz help in this regard also.
>>
>
> Iptables commands do work instantly, but state table entries may not
> disappear until after their timeout. It has already been pointed out
> that the MASQUERADE target is not appropriate for access control, so
> you should not be too concerned if it does not work as you expect. If
> you were to delete a real iptables access rule, there would be no delay.

Thanks for the clearing my concept.
however i read some of the part via google that there is a file
/etc/network/iptables in Debian from where all the startup scripts run
for FW . may be i didnt got the correct idea out of it. as i am new
and still learning.
so i thought that rc.local is not an appropriate route to choose.

>
> I use iptables and its logging fairly regularly for troubleshooting,
> which involves altering and repositioning rules to see what's going on,
> and I know there is no delay after reloading the rules tables. If you
> type an extra rule at a command prompt, it will work the instant you hit
> return, assuming you have it right and it doesn't conflict with what
> is already there. It's easier to add it to the script in the right
> place, and reload the rules tables.
>
> The usual way to organise iptables rules is to have a script that runs
> as part of the boot sequence, usually also checking for the correct
> modules, starting IP forwarding, etc. It isn't a workaround to run it
> from an rc, how else do you think things are started on boot? If you
> want something that looks like a daemon, it's not too hard to make a
> start-stop script that will load and flush the iptables rules, check
> which ruleset if any is currently running and generally work as a
> pseudo-service. It's not something that Debian supplies, as a lot of
> people prefer to use firewall applications rather than deal with raw
> iptables rules.
>

since the inception of my career i have been using Microsoft at server end. but
since i have started learning Linux i dont know what is the attraction in it.
i started liking command line. rather GUI. so i am not interested in
Applications.




> --
> Joe
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20120426223825.498d08ea@jretrading.com
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAGWVfMnvnS-nJWeJah1rLJqnARHszsvjz0KVrUy0K9eU_hrf-A@mail.gmail.com">http://lists.debian.org/CAGWVfMnvnS-nJWeJah1rLJqnARHszsvjz0KVrUy0K9eU_hrf-A@mail.gmail.com
 
Old 04-27-2012, 08:05 AM
Joe
 
Default iptables service with debian

On Fri, 27 Apr 2012 12:06:37 +0500
Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:

> Thanks for the clearing my concept.
> however i read some of the part via google that there is a file
> /etc/network/iptables in Debian from where all the startup scripts run
> for FW . may be i didnt got the correct idea out of it. as i am new
> and still learning.
> so i thought that rc.local is not an appropriate route to choose.
>

That's a recommended default location if you use just the iptables-save
and -restore commands, but it isn't created on installation. A
newly-installed Debian system has no iptables infrastructure.

But the save and restore commands only give you the iptables rules, and
you may want to do other network-related things when the 'service' is
started, such as loading conntrack modules for unusual protocols.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120427090537.0dad5679@jretrading.com">http://lists.debian.org/20120427090537.0dad5679@jretrading.com
 
Old 04-27-2012, 12:30 PM
Tom H
 
Default iptables service with debian

On Fri, Apr 27, 2012 at 4:05 AM, Joe <joe@jretrading.com> wrote:
> On Fri, 27 Apr 2012 12:06:37 +0500
> Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
>>
>> Thanks for the clearing my concept.
>> however i read some of the part via google that there is a file
>> /etc/network/iptables in Debian from where all the startup scripts run
>> for FW . may be i didnt got the correct idea out of it. as i am new
>> and still learning.
>> so i thought that rc.local is not an appropriate route to choose.
>
> That's a recommended default location if you use just the iptables-save
> and -restore commands, but it isn't created on installation. A
> newly-installed Debian system has no iptables infrastructure.
>
> But the save and restore commands only give you the iptables rules, and
> you may want to do other network-related things when the 'service' is
> started, such as loading conntrack modules for unusual protocols.

It's best to run an iptables script from "/etc/network/if-pre-up.d/".


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAOdo=SxRmY_5YbB7AprM-mn+1Ho4+1iYdMXJHXg90AxHeF5oCg@mail.gmail.com">http ://lists.debian.org/CAOdo=SxRmY_5YbB7AprM-mn+1Ho4+1iYdMXJHXg90AxHeF5oCg@mail.gmail.com
 
Old 04-27-2012, 10:56 PM
Pascal Hambourg
 
Default iptables service with debian

Hello,

Muhammad Yousuf Khan a écrit :
> i run this command
>
> iptables -t nat -A POSTROUTING -o eth1 -d 8.8.4.4 -j MASQUERADE
>
> my client computers able to ping 8.8.4.4
>
> but when i "iptables --flush -t nat" it clrear the table but my
> client can still ping the destination.

Do you mean that the client gets a reply ? Surprising.
As Joe wrote, the nat table uses connection tracking state that can be
viewed in /proc/net/nf_conntrack. But AFAIK and IME, a conntrack entry
created by a echo request is deleted after a corresponding echo reply is
received.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F9B242F.70101@plouf.fr.eu.org">http://lists.debian.org/4F9B242F.70101@plouf.fr.eu.org
 
Old 04-27-2012, 10:59 PM
Pascal Hambourg
 
Default iptables service with debian

Tom H a écrit :
> On Fri, Apr 27, 2012 at 4:05 AM, Joe <joe@jretrading.com> wrote:
>>
>> But the save and restore commands only give you the iptables rules, and
>> you may want to do other network-related things when the 'service' is
>> started, such as loading conntrack modules for unusual protocols.
>
> It's best to run an iptables script from "/etc/network/if-pre-up.d/".

Only for the rules which are related to a specific interface. Ruleset
initialization should not be done from there.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F9B24D9.80100@plouf.fr.eu.org">http://lists.debian.org/4F9B24D9.80100@plouf.fr.eu.org
 
Old 04-28-2012, 06:41 AM
Tom H
 
Default iptables service with debian

On Fri, Apr 27, 2012 at 6:59 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> Tom H a écrit :
>> On Fri, Apr 27, 2012 at 4:05 AM, Joe <joe@jretrading.com> wrote:
>>>
>>> But the save and restore commands only give you the iptables rules, and
>>> you may want to do other network-related things when the 'service' is
>>> started, such as loading conntrack modules for unusual protocols.
>>
>> It's best to run an iptables script from "/etc/network/if-pre-up.d/".
>
> Only for the rules which are related to a specific interface. Ruleset
> initialization should not be done from there.

Why not? Is this documented somewhere? If not, from where should
iptables rules be launched?

"if-pre-up.d" is the only logical location (and it isn't tied to any
particular NIC) for launching an iptables script since Debian ripped
out "/etc/init.d/iptables".

It's also the recommended location on the Debian wiki:

http://wiki.debian.org/iptables


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAOdo=SyopPimh8_yh5cPS-buNqqCVLn9AaEvnWwmq5MhzAgjsQ@mail.gmail.com">http://lists.debian.org/CAOdo=SyopPimh8_yh5cPS-buNqqCVLn9AaEvnWwmq5MhzAgjsQ@mail.gmail.com
 
Old 04-28-2012, 07:40 AM
Joe
 
Default iptables service with debian

On Sat, 28 Apr 2012 02:41:29 -0400
Tom H <tomh0665@gmail.com> wrote:

> On Fri, Apr 27, 2012 at 6:59 PM, Pascal Hambourg
> <pascal@plouf.fr.eu.org> wrote:
> > Tom H a écrit :
> >> On Fri, Apr 27, 2012 at 4:05 AM, Joe <joe@jretrading.com> wrote:
> >>>
> >>> But the save and restore commands only give you the iptables
> >>> rules, and you may want to do other network-related things when
> >>> the 'service' is started, such as loading conntrack modules for
> >>> unusual protocols.
> >>
> >> It's best to run an iptables script from
> >> "/etc/network/if-pre-up.d/".
> >
> > Only for the rules which are related to a specific interface.
> > Ruleset initialization should not be done from there.
>
> Why not? Is this documented somewhere? If not, from where should
> iptables rules be launched?
>
> "if-pre-up.d" is the only logical location (and it isn't tied to any
> particular NIC) for launching an iptables script since Debian ripped
> out "/etc/init.d/iptables".
>
> It's also the recommended location on the Debian wiki:
>
> http://wiki.debian.org/iptables
>
>

Which also mentions iptables-persistent.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120428084005.0726a93a@jretrading.com">http://lists.debian.org/20120428084005.0726a93a@jretrading.com
 
Old 04-28-2012, 08:30 AM
Pascal Hambourg
 
Default iptables service with debian

Hello,

Tom H a écrit :
> On Fri, Apr 27, 2012 at 6:59 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>> Tom H a écrit :
>>> It's best to run an iptables script from "/etc/network/if-pre-up.d/".
>> Only for the rules which are related to a specific interface. Ruleset
>> initialization should not be done from there.
>
> Why not?

Because it makes no sense to re-initialize the ruleset every time an
interface is activated.

> Is this documented somewhere? If not, from where should
> iptables rules be launched?

Iptables should be initialized from an initscript run before networking.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F9BAA98.70209@plouf.fr.eu.org">http://lists.debian.org/4F9BAA98.70209@plouf.fr.eu.org
 

Thread Tools




All times are GMT. The time now is 08:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org