Posts Tagged ‘firewall’

Saving Changes for iptables

May 26, 2009 4 comments

Whenever you make a change to your firewall, on a Fedora/CentOS type system, you will want to save the changes.

The output can be redirected to a file.

# iptables-save > /root/firewall-rules
The following command line restores all rules from /root/firewall-rules assuming that the file /root/firewall-rules exists.

# iptables-restore < /root/firewall-rules

By default, iptables-restore deletes all existing rules before restoring the saved rules. If the saved rules are to be appended to existing rules, use the -n or –noflush option.

Save Your Firewall and Load on Restart

You will need to edit the /etc/sysconfig/iptables-config as root to help iptables save and reload your firewall correctly. Be sure the following settings are changed to “yes”.

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be ‘yes’ to get to a sane state for a firewall
# restart or stop. Only set to ‘no’ if there are problems unloading netfilter
# modules.

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.

iptables Configuration Files

CentOS and other Red Hat based distributions set iptables rules in /etc/sysconfig/iptables, which may be generated by redirecting the output of iptables-save as follows.

# iptables-save > /etc/sysconfig/iptables
The rules are automatically restored by the script /etc/init.d/iptables at startup. No modification to /etc/init.d/iptables is required.

Note that Red Hat based distributions place iptables and related executables in /sbin, not in /usr/sbin.

iptables is not a daemon but it does load rules into memory. This means that rules will not be persistent over a restart. However, if you do the save command it will save the currently loaded rules into a file called: /etc/sysconfig/iptables

service iptables save


Firewall on Debian Lenny

May 4, 2009 3 comments

There is no doubt that a Linux system is many times more secure than a Windows one. That isn’t an excuse to ignore risk however, as there are still ways to compromise a system. The internet is still the modern equivalent of the Wild West and you need to protect yourself whatever you do.
Installing a firewall should be job number one for any machine of any kind that is going to be connected to a network. Even geeks like me who have a hardware firewall on their router, still have a firewall on the local machines as a second line of defense against the naughty people.


This is where Debian falls down in my opinion. There is an iptables basis for a firewall built in, but it seems to need a lot of configuration to get it working. I got round this by using Firestarter, which is an external program that packages everything in a nice friendly GUI.
Firestarter is available through Synaptic Package Manager or apt-get, and installs quite quickly. There are a couple of configuration screens but the defaults are pretty much all you need unless you still use dialup or want to share your connection with other machines.

apt-get install firestarter
If installed through apt-get or Synaptic the package installs itself as a service so it will run whenever you use your machine. This is a good thing as you are automatically protected. I’m not sure I’m quite up to configuring a firewall every time I use the machine!
I love wizards, I think they are great. Tall pointy hats and big sleeves. No!
Firestarter has a configuration wizard which takes all the grunt work out of setting things up for you. The program automatically detects your network hardware and asks you to choose your Internet facing device. If you are on broadband or have a switch or router then this will probably be eth0.
Unless you have a static IP address, leave the tick by IP Address is assigned via DHCP. This option will be suitable to most users as the majority of ISPs use dynamic IP addressing.

You next choice will be whether to allow internet connection sharing. That is if you want other machines to connect to the internet through your Debian box.
The next page is the last one. See, I told you it was easy.
Here you get to save your options and start the program. If you save here and change your mind later, you can always reconfigure it, nothing is written in stone.





When you first start Firestarter you will see the status page. It shows you pretty much what’s going on with it. The main thing you want to check is the Status on the left. There should be a blue circle with the word ‘Active’ underneath. If you have that then you are protected.


When the firewall is active it will record any events that it sees. You can check these on the Events page. It is wise to check this page periodically once first configured to ensure it isn’t blocking something you want to let through. Other than that you can just leave it alone to do its thing!
Firewalls are another massive subject that go way beyond the scope of this post, but you should at least have a basic understanding of one of many firewall options open to you and have one running while you explore the subject further.