[SOLVED] Cant modify iptables

[JakeR]

Hi

I have created a rpm file that modifies the /etc/sysconfig/iptables when installed (add rules to block internet for all users except one.). It works well.

I include this rpm-file in my kickstart file, but no changes in /etc/sysconfig/iptables are made. When I boot up on the live iso I find my modified iptables-file in /etc/sysconfig/iptables.old.

How do I make changes in /etc/sysconfig/iptables from a kickstart file (livecd-creator)?

[AndrewSerk]

Hello,
The approach you used is probably a better choice than what I have posted below. I suspect the issue you are seeing is a result of you rpm installing before iptables installs. You could add iptables as a dependency for your rpm in your spec file so that iptables must be installed first

Code:

%post
cat >> /etc/rc.d/init.d/livesys << EOF_livesys

# setup firewall
rm /etc/sysconfig/iptables
touch /etc/sysconfig/iptables

cat >> /etc/sysconfig/iptables << EOF_iptables
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth+ -j MASQUERADE
-A POSTROUTING -o ippp+ -j MASQUERADE
-A POSTROUTING -o isdn+ -j MASQUERADE
-A POSTROUTING -o ppp+ -j MASQUERADE
-A POSTROUTING -o tun+ -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j DROP
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j DROP
-A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j DROP
-A INPUT -p icmp -m icmp --icmp-type redirect -j DROP
-A INPUT -p icmp -m icmp --icmp-type router-advertisement -j DROP
-A INPUT -p icmp -m icmp --icmp-type router-solicitation -j DROP
-A INPUT -p icmp -m icmp --icmp-type source-quench -j DROP
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j DROP
-A INPUT -p icmp -j DROP
-A INPUT -i lo -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type destination-unreachable -j DROP
-A FORWARD -p icmp -m icmp --icmp-type echo-reply -j DROP
-A FORWARD -p icmp -m icmp --icmp-type echo-request -j DROP
-A FORWARD -p icmp -m icmp --icmp-type parameter-problem -j DROP
-A FORWARD -p icmp -m icmp --icmp-type redirect -j DROP
-A FORWARD -p icmp -m icmp --icmp-type router-advertisement -j DROP
-A FORWARD -p icmp -m icmp --icmp-type router-solicitation -j DROP
-A FORWARD -p icmp -m icmp --icmp-type source-quench -j DROP
-A FORWARD -p icmp -m icmp --icmp-type time-exceeded -j DROP
-A FORWARD -p icmp -j DROP
-A FORWARD -i lo -j DROP
-A FORWARD -o eth+ -j DROP
-A FORWARD -o ippp+ -j DROP
-A FORWARD -o isdn+ -j DROP
-A FORWARD -o ppp+ -j DROP
-A FORWARD -o tun+ -j DROP
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
EOF_iptables
 EOF_livesys

EDIT:
You should add a chmod for iptables above EOF_livesys

[JakeR]

Quote:

Originally Posted by AndrewSerk

Hello,
The approach you used is probably a better choice than what I have posted below. I suspect the issue you are seeing is a result of you rpm installing before iptables installs. You could add iptables as a dependency for your rpm in your spec file so that iptables must be installed first

Thanks!

I have created a fork of the system-config-firewall package and changed the default rules in src/fw_iptables.py.

[AndrewSerk]

Very nice! I like your approach.