Hi All, Was wondering if you could help me out. At work we are running CentOS 4.2 as our mailserver/firewall. The script in question is /etc/rc3.d/S08iptables. As this starts before the network adapters are set up, it hoses our iptables script resulting in denying our internal hosts internet access. What I would like to do is mv the script to /etc/rc3.d/S11iptables so the the interfaces are up and then the iptables script kicks in. It is in this way that we find it works best for us. However on a reboot we found that the "system" moved the script back to it's original name of /etc/rc3.d/S08iptables. How would I "tell the system" to keep the script named as /etc/rc3.d/S11iptables so that it does not automatically rename it back to /etc/rc3.d/S08iptables? Thank you in advance, Phil
On Sat, 2005-11-26 at 10:25 -0500, Phil Savoie wrote:> Hi All, > > Was wondering if you could help me out. At work we are running CentOS 4.2 as > our mailserver/firewall. The script in question is /etc/rc3.d/S08iptables. > As this starts before the network adapters are set up, it hoses our iptables > script resulting in denying our internal hosts internet access. > > What I would like to do is mv the script to /etc/rc3.d/S11iptables so the the > interfaces are up and then the iptables script kicks in. It is in this way > that we find it works best for us. > > However on a reboot we found that the "system" moved the script back to it's > original name of /etc/rc3.d/S08iptables. > > How would I "tell the system" to keep the script named > as /etc/rc3.d/S11iptables so that it does not automatically rename it back > to /etc/rc3.d/S08iptables?Edit the chkconfig line in /etc/init.d/iptables to read 11 instead of 08, then run: chkconfig iptables reset -- Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> http://centos.ivazquez.net/ gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20051126/4a32cca7/attachment-0005.sig>
On Saturday 26 November 2005 10:34, Ignacio Vazquez-Abrams wrote:> On Sat, 2005-11-26 at 10:25 -0500, Phil Savoie wrote: > > Hi All, > > > > Was wondering if you could help me out. At work we are running CentOS > > 4.2 as our mailserver/firewall. The script in question is > > /etc/rc3.d/S08iptables. As this starts before the network adapters are > > set up, it hoses our iptables script resulting in denying our internal > > hosts internet access. > > > > What I would like to do is mv the script to /etc/rc3.d/S11iptables so the > > the interfaces are up and then the iptables script kicks in. It is in > > this way that we find it works best for us. > > > > However on a reboot we found that the "system" moved the script back to > > it's original name of /etc/rc3.d/S08iptables. > > > > How would I "tell the system" to keep the script named > > as /etc/rc3.d/S11iptables so that it does not automatically rename it > > back to /etc/rc3.d/S08iptables? > > Edit the chkconfig line in /etc/init.d/iptables to read 11 instead of > 08, then run: > > chkconfig iptables resetRoger that! Thank you. Phil
Phil Savoie wrote:> Hi All, > > Was wondering if you could help me out. At work we are running CentOS 4.2 as > our mailserver/firewall. The script in question is /etc/rc3.d/S08iptables. > As this starts before the network adapters are set up, it hoses our iptables > script resulting in denying our internal hosts internet access.There shouldn't be the problem with that ordering (first iptables, then network). What exactly happens? What is in your network configuration that depends on firewall rules not being loaded?> What I would like to do is mv the script to /etc/rc3.d/S11iptables so the the > interfaces are up and then the iptables script kicks in. It is in this way > that we find it works best for us.*Very* bad idea. It is possible, but do not do it. You *really* want to first start iptables, and network only after firewall rules are loaded. Otherwise you would have race condition when your network interfaces are completely setup (accepting network traffic), but you don't have any firewall rules to protect the host (and/or network behind it, if host acts as firewall). This window when race condition would exist (if you swap the order of iptables and network) could be as short as a second or two (on very fast system with only one statically configured interface), or as long as 10 seconds (or even longer) if you have many interfaces and at least some of them are DHCP configured. Even in former case, it can be more than long enough for your system to get broken into (by some automated tool that scouts the Internet address space). Anyhow, if you have problems, it is not the order of iptables and network startup scripts. Something else is broken in your config. Fix the real underlaying problem, don't create new problems by fixing the symptoms only.