{"id":383,"date":"2010-09-21T19:28:43","date_gmt":"2010-09-21T23:28:43","guid":{"rendered":"http:\/\/www.xavignu.com\/?p=383"},"modified":"2010-09-25T05:58:50","modified_gmt":"2010-09-25T09:58:50","slug":"restoring-iptables-when-box-reboots","status":"publish","type":"post","link":"https:\/\/www.xavignu.com\/?p=383","title":{"rendered":"Restoring IPtables when box reboots"},"content":{"rendered":"

Todays post is also going to be short.
\nI have a VPS server running and the other day they had to reboot my host because of maintenance. Things is I lost my running iptables<\/a> when the box was rebooted. So how do we get this fixed? You can create a script and us update-rc.d<\/a> and make it run on the default runlevel. However, we are going to do it different. We will use \/etc\/network\/interfaces and iptables-restore.
\n
\nWe first make a backup of the running iptables setup.<\/p>\n

\r\nserver:~# iptables-save > \/etc\/iptables \r\n<\/pre>\n
We now check configuration was saved.<\/p>\n
\r\nserver:~# cat \/etc\/iptables \r\n# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010\r\n*security\r\n:INPUT ACCEPT [1296:124154]\r\n:FORWARD ACCEPT [0:0]\r\n:OUTPUT ACCEPT [1011:120172]\r\nCOMMIT\r\n# Completed on Tue Sep 21 19:09:48 2010\r\n# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010\r\n*raw\r\n:PREROUTING ACCEPT [1296:124154]\r\n:OUTPUT ACCEPT [1011:120172]\r\nCOMMIT\r\n# Completed on Tue Sep 21 19:09:48 2010\r\n# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010\r\n*nat\r\n:PREROUTING ACCEPT [29:2270]\r\n:POSTROUTING ACCEPT [131:9748]\r\n:OUTPUT ACCEPT [131:9748]\r\nCOMMIT\r\n# Completed on Tue Sep 21 19:09:48 2010\r\n# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010\r\n*mangle\r\n:PREROUTING ACCEPT [1296:124154]\r\n:INPUT ACCEPT [1296:124154]\r\n:FORWARD ACCEPT [0:0]\r\n:OUTPUT ACCEPT [1011:120172]\r\n:POSTROUTING ACCEPT [1011:120172]\r\nCOMMIT\r\n# Completed on Tue Sep 21 19:09:48 2010\r\n# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010\r\n*filter\r\n:INPUT ACCEPT [1296:124154]\r\n:FORWARD ACCEPT [0:0]\r\n:OUTPUT ACCEPT [1011:120172]\r\n-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource \r\n-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP \r\nCOMMIT\r\n# Completed on Tue Sep 21 19:09:48 2010\r\nserver:~# \r\n<\/pre>\n
Previous configuration was very simple. It’s made to basically block brute ssh attacks.
\nNow we need to modify \/etc\/network\/interfaces to make is run after interface is configured. Add the following in \/etc\/network\/interfaces.<\/p>\n
\r\npost-up iptables-restore < \/etc\/iptables\r\n<\/pre>\n
This addition will make iptables configuration take effect when box reboots and networking is configured. Below is the proof.<\/p>\n
\r\nserver:~# iptables -F; iptables -L; date ; \/etc\/init.d\/networking restart; iptables -L; date\r\nChain INPUT (policy ACCEPT)\r\ntarget     prot opt source               destination         \r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget     prot opt source               destination         \r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget     prot opt source               destination         \r\nmar sep 21 19:15:37 EDT 2010\r\nReconfiguring network interfaces...SIOCDELRT: No such process\r\nif-up.d\/mountnfs[eth0]: waiting for interface eth0:1 before doing NFS mounts (warning).\r\ndone.\r\nChain INPUT (policy ACCEPT)\r\ntarget     prot opt source               destination         \r\n           tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: SET name: SSH side: source \r\nDROP       tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: UPDATE seconds: 60 \r\n\hit_count: 4 TTL-Match name: SSH side: source \r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget     prot opt source               destination         \r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget     prot opt source               destination         \r\nmar sep 21 19:15:37 EDT 2010\r\nserver:~# \r\n<\/pre>\n
We clean all iptables rules and restart networking. We see iptables rules take effect after restart. This is it, no more for today. Suggestions are always welcome. \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Todays post is also going to be short. I have a VPS server running and the other day they had to reboot my host because of maintenance. Things is I lost my running iptables when the box was rebooted. So how do we get this fixed? You can create a script and us update-rc.d and […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[3],"tags":[4,6,23,70],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_shortlink":"https:\/\/wp.me\/pTQgt-6b","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/383"}],"collection":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=383"}],"version-history":[{"count":0,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/383\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}