Relationship of Firestarter to iptables

[jsmaye]

I'm using the Firestarter GUI app, which I thought to be merely a frontend for iptables. Except for the fact the Firestarter doesn't seem to accurately reflect the status of iptables. Using Firestarter to start the firewall creates a a different set of rules than if I use the 'service iptables start' or the 'Service Configuration' GUI. Also, stopping and starting iptables from the command line or service configuration causes errors

iptables failed. The error was: Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: nat mangle filter [ OK ] Unloading iptables modules: [FAILED]

but the firewall stops and clears the rule set anyway per iptables -L .

What am i misunderstanding?

[AndyGreen]

"service iptables" has its own private stash of firewall rules that it keeps stored away somewhere. It does not know about Firestarter and therefore they totally conflict.

The key to understanding this is to know that netfilter/iptables is in the kernel, it is not actually a service that starts and stops, it's always up. The init.d/ script that allows "service iptables" is in fact a simple script that removes all your rules from iptables on "stop", and nukes any rules and reloads them from its secret stash on "start". service iptables save updates the secret stash with the current ruleset.

So if you use Firestarter, I guess you want to turn off the "iptables service" stuff

chkconfig iptables off

[Tashiro]

Firestarter controls the iptables. If you change, remove or add a rule with firestarter the iptables rules change directly. Firestarter is a GUI for the iptables with some nice features.

If I am wrong please correct me.

Tashiro

Edit: mmm on second thought I think I am wrong...

[Tashiro]

But I still don't fully understand why...

Tashiro

[AndyGreen]

There's two kinds of thing called "iptables" around.

The first is the netfilter code in the kernel itself which does the filtering and routing of packets. That is always up, and you can set the rules for it using the /sbin/iptables program.

The second, confusing "iptables" is a script in /etc/rc.d/init.d/iptables. If you look in the script, you'll see that it is a "service" type interface that uses /sbin/iptables to set and delete rules in a wholesale manner. If you do service iptables start, it nukes all the existing netfilter rules and copies the ones from /etc/sysconfig/iptables in, using the /sbin/iptables program. When you do service iptables stop, it nukes all the rules, again using the /sbin/iptables program. service iptables save dumps the current ruleset for netfilter into /etc/sysconfig/iptables so on the next start you'll have the current rules set.

[Dr_Strangelove]

Correct me if I'm wrong here...

Firestarter just bypasses the /etc/rc.d/init.d/iptables script by using its own configuration tools/script to control the /sbin/iptables program when making a set of rules. However it still uses the kernels netfilter code.. Right?

[w5set]

/sbin/iptables to me looks like a service/daemon (it's an executable file) that parses the network packets according to the "table" setup.
I do know that firestarter shuts down the FC "iptables service" when it runs and has it's own process to do the same thing--except that firestarter tables are reconfigurable on the fly with the GUI.

[Jman]

Yes firestarter is a replacement of the iptables service.

[AndyGreen]

Yep Strangelove that matches my understanding.