Using /etc/init.d/iptables in Debian and Ubuntu… again
For those of you out there who are both a bit lazy when it comes to scripting (like me) and remember when Debian releases included an init script for iptables (also like me) … well, this post is for you.
There are many, many, many ways to implement boot-time iptables rules on your own Linux box, but the one I like using is the /etc/init.d/iptables script.
This method was available by default in the woody release of Debian but was deprecated in the sarge release a few years later, to be replaced by… well, what, exactly?
Debian’s woody /etc/default/iptables file (sort of) predicted that this change was coming:
Q: You concocted this init.d setup, but you do not like it?
A: I was pretty much hounded into providing it. I do not like it.
Don’t use it. Use /etc/network/interfaces, use /etc/network/*.d/
scripts use /etc/ppp/ip-*.d/ script. Create your own custom
init.d script — no need to even name it iptables. Use ferm,
ipmasq, ipmenu, guarddog, firestarter, or one of the many other
firewall configuration tools available. Do not use the init.d
script.
(Wait a second… was woody really released in 2002? Man, I’m getting old.)
As you can probably tell, I completely ignored this notice/advice/warning, continuing to use the init script to kick off my rules at boot.
Once sarge came out, everything changed.
Amusingly enough, even the sarge iptables release notes knew what confusion might occur once these scripts disappeared:
[ 1. upgrade notes ]
init scripts
If you have upgraded from an earlier version of the iptables
package, you may still have the deprecated init.d scripts and
state information installed, but orphaned from the package.
This was necessary to preserve existing configurations. Run
“update-rc.d -f iptables remove” and delete this list of files
and directories to get rid of it all:/etc/default/iptables
/etc/init.d/iptables
/var/lib/iptables/
/var/lib/ip6tables/I’m certain someone will file a bug report about the orphaned
files, but it was done intentionally. Suggestions for a better
approach are welcomed.
That hoped-for “better approach” was not fast in coming for some people, as witnessed on a few Debian mailing lists at the time.
I ended up just saving the init script from an old Debian box, and have had it in some shape or form ever since. I’m not even sure if it’s the same as the original woody release, but I thought I’d put it up here for reference. If anyone wants to use it, feel free!
Here is the /etc/init.d/iptables file I’m using as of October 2009 on all my Debian- and Ubuntu-based machines: iptables init file
To get this working on your machine, you should probably be logged into the console as root. I’ve locked myself out of boxes remotely when messing up iptables, so don’t be “that guy”.
1. Make two directories – one for storing iptables rulesets and one for storing the configurations that the init file uses.
mkdir /etc/iptables
mkdir /var/lib/iptables
2. Create the iptables init script in /etc/init.d/ by pasting the contents of the file into it, using the most awesome text editor in the universe – joe!
joe /etc/init.d/iptables
3. Make the init script executable, and add it to the /etc/rc*.d directories using the update-rc.d command.
chmod 755 /etc/init.d/iptables
update-rc.d iptables defaults
4. Create the iptables ruleset in a file, to run via the CLI.
If I’m in a hurry, I go to Easy Firewall Generator for IPTables, fill out what I need, and copy/paste the results into this file. However, it’s got a LOT of extra, unneeded stuff in there. YMMV.
joe /etc/iptables/boot.rules
5. Run the init script to get two sets of iptables rules: one active set which will run when the system is booted, and an inactive set which can be started if there’s a problem and the firewall needs to be disabled.
Please note that these commands will clear all iptables rules – leaving you with no firewall – and will then save the “inactive” configuration in /var/lib/iptables .
. /etc/init.d/iptables clear
/etc/init.d/iptables save inactive
These commands will set the iptables ruleset you’ve defined in /etc/iptables/boot.rules, and then save this configuration so that it runs when the machine boots up. These rules will be active once the command is run, so please be careful. The “active” configuration will also be stored in /var/lib/iptables .
. /etc/iptables/boot.rules
/etc/init.d/iptables save active
A final caveat: this method is really, really old; probably bad practice; and possibly discouraged by the Linux gods. However, it works for me.
If you want to learn about a more “normal” method of implementing boot-time iptables rulesets, you can do so by starting at these links and branching out from there:
Getting iptables to survive a reboot