• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

iptables script beim booten ausführen/starten

Hi !

Ich wollte mal kurz nachfragen wie ich mein iptables script direkt beim start ausführen lassen kann... oder allgemeiner... wie lasse ich scripte die ich geschrieben habe, direkt beim Bootvorgang, bzw. nach dem Bootvorgang durchlaufen ???
In /etc/init.d habe ich es schonmal und habe dem script die Rechte 755 gegeben....
Was muss ich als nächstes tun ?
Muss ich noch irgendwo eintragen in welchem Runlevel das Script gestartet werden soll ????

Ich würde mich freuen, wenn Ihr mir da weiterhelfen könntet...

lg Mark
 
A

Anonymous

Gast
Ich habe mal nachfolgendes script (quick and dirty) aufgesetzt
und einige iptable-rules nach meinem Bedarf untergebracht.
Folgende Schritte sind etwa notwendig:
- Script in /etc/init.d speichern
- iptables an eigenen Bedarf anpassen
- Script etwa mit chmod 710 <dateiname> auf ausführbar setzen,
- symbolische links nach rc3.d und rc5.d setzen - die passenden runlevel)
- mit chkconfig -a <dateiname> script im Bootvorgang aktivieren

mfG
Alto Merkt
Nun das script:

#! /bin/sh
# start service masquerading
### BEGIN INIT INFO
# Provides: FOO
# Required-Start: $syslog $remote_fs
# X-UnitedLinux-Should-Start: $time ypbind sendmail
# Required-Stop: $syslog $remote_fs
# X-UnitedLinux-Should-Stop: $time ypbind sendmail
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: set iptables to restrictions
# Description:
# enable, disable routing via masquerading for local network with
# private ip-addresses
### END INIT INFO
#
#
# * When specifying hard dependencies or ordering requirements, you can
# use names of services (contents of their Provides: section)
# or pseudo names starting with a $. The following ones are available
# according to LSB (1.1):
# $local_fs all local file systems are mounted
# (most services should need this!)
# $remote_fs all remote file systems are mounted
# (note that /usr may be remote, so
# many services should Require this!)
# $syslog system logging facility up
# $network low level networking (eth card, ...)
# $named hostname resolution available
# $netdaemons all network daemons are running
# The $netdaemons pseudo service has been removed in LSB 1.2.
# For now, we still offer it for backward compatibility.
# These are new (LSB 1.2):
# $time the system time has been set correctly
# $portmap SunRPC portmapping service available
# UnitedLinux extensions:
# $ALL indicates that a script should be inserted
# at the end
FOO_BIN=/usr/sbin/iptables
test -x $FOO_BIN || { echo "$FOO_BIN not installed"; exit 5; }
#
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
# rc_splash arg sets the boot splash screen to arg (if active)
. /etc/rc.status
#
# Reset status of this service
rc_reset
#
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
case "$1" in
start)
echo -n "Starting ip masquerading "
## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
# startproc $FOO_BIN
# masquerading nur icmp (ping, traceroute) aus 192.168.69.0/24
#iptables - t nat -A POSTROUTING -p icmp -s 192.168.69.0/24 -j MASQUERADE
# Nur ausgehendes Ping (echo) erlauben
#iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Aber dann Fehlermeldungen durchlassen
#iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -t nat -A POSTROUTING -p icmp -j MASQUERADE
# Webverkehr
# iptables -A OUTPUT -p tcp --sport 1024: --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --sport 80 --dport 1024: ! --syn -j ACCEPT # Reverse Richtung
#Multiport -Masquerading, /höchstens 15 Angabe
iptables -t nat -A POSTROUTING -p tcp -m multiport --destination-port 21,22,23,25,53,80,110 -s 192.168.69.0/24 -j MASQUERADE
# iptables -t nat -L
rc_status -v
;;
stop)
echo -n "stop ip masquerading "
iptables -t nat -F
rc_status -v
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
status)
echo "checking ip filter status "
iptables -t nat -L
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.

# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)

# NOTE: checkproc returns LSB compliant status values.
checkproc $FOO_BIN
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
*)
echo "Usage: $0 { start|stop|status|restart| }"
exit 1
;;

esac
rc_exit
 
Oben