Web lists-archives.com

Re: Iptables at boot

On 1/31/18 12:28 PM, Jacques Rodary wrote:


Many things happened since my first message: I first had to get rid of connman (connection manager), which insisted to preset iptables rules without any notice. My Debian box is uset as a DNS chrooted server (also I had to modify bind9.service behaviour), and I use iptables to do NAT, since I have one routable address for several clients. With Jessie I managed to have all this working. When upgrading to stretch, because of a stupid error with grub on my RAID system, and of an insufficient backup, I lost most of my config. Thanks for your help. When everything will be OK, I surely will have the use for your answers.


Have you looked at shorewall?  I use it on all my debian linux installs.  Basically its a front end to the kernel iptables network filters.  It sets up the iptables entries and then goes away so that there is no additional program running after it does its job.   It starts up on boot after you have set up the rules the way you want.  You have to set a parameter in the /etc/default/shorewall file to have it start since you don't want to loose connection to your machine if you are logging in through a network port.  That way you can test it before you actually use it.  It is driven by several text config files in /etc/shorewall.  For instance NAT is set up easily by this command in the  snat file (my internet connection is on eth1 and local 172 net is on eth0):


I redirect all the dns and time requests to my router machine even if the client has requested these services from an outside address.  I use opendns for its malware filters so bind is set to forward all non local dns querys to opendns servers.  I also use dnscrypt-proxy to get a secure connection to opendns so that I can be assured that the data coming back from opendns hasn't been tampered with.  These 2 lines in the rules file accomplish the redirection:

REDIRECT        Loc                     53       tcp,udp   53     -
REDIRECT        Loc                     123     tcp,udp  123    -

There is plenty of documentation and examples for simple setups available on the shorewall web site.