Applying iptables rule at startup

[Ellus]

Hello there,

I installed Iptables and made it "on boot", now I need to apply a rule and make it persistence.
for example: sudo iptables -P INPUT DROP.

I tried to add "/usr/bin/sudo /usr/local/sbin/iptables - P INPUT DROP" to bootlocal.sh but it hangs every-time before the desktop appears.
where is the mistake here?

Thanks in advance for your help.

[Rich]

Hi bassam
You don't need to use  sudo  in bootlocal.sh, and you should not need to specify the path to run
iptables. Maybe it's hanging because your network isn't up yet?

[Ellus]

I have no idea to be honest whether the network is up or not when it stops, the only thing it shows is a movable "X pointer" and black screen.

Edit:I disabled the desktop at startup, and now my rule does apply.... I don't know what is the relation between iptables and X.

[hiro]

You should never use iptables - P INPUT DROP (e.g. you need to have a working loopback connection for most things to work).

Instead explicitly specify the NIC for which you want to block all input.

[Ellus]

ok, the INPUT DROP rules was for testing only, so I tried  "iptables -INPUT -i eth0 -p tcp -j ACCEPT" and it works fine.
Now I move further with my iptables rules.

Thanks a lot Hiro for your help.

[Guy]

To run iptables, it needs to be installed and in onboot.

To start the basic firewall each time Tinycore is started, add

/usr/local/sbin/basic-firewall

or

/usr/local/sbin/basic-firewall noprompt

to /opt/bootlocal.sh.

The basic firewall is a simple firewall which should suit most home users with a single computer connected to the internet.

To see the iptables setup, open the terminal and type

sudo iptables -vL

or

sudo iptables -vnL

If you are happy with the setup, use it as it is.


However, there may be some people who want to use different iptables rules, for example, those with a network connected to the internet.

I suggest these people modify the file which writes the iptables rules each time the computer is started, and make a new extension with the modified file.

I am not running tinycore at the moment, and can't remember exactly where the file is, but look in /tmp/tcloop/iptables. It may be in one of iptables' dependencies. You can read the file with a text editor.

There is an example of making a new extension here.

http://wiki.tinycorelinux.net/wiki:printer_setup_using_cups

If anyone can give the exact path to the file to modify, please share.

[Ellus]

Thanks Guy,
I found the basic-firewall rules in /tmp/tcloop/iptables/usr/local/sbin/basic-firewall...so are you suggesting to modify the file "basic-firewall" and then "squashfs" to have a new iptables extension with the modified rules? or to have a "setting extension" to restore that modified file only?

- Isn't it easier to copy the content of that file,modify it as per your need then save it for example in "persistence opt" /opt/myfirewall.sh and add a new line to bootlocal.sh to run it every-time at startup? 

[Rich]

Hi bassam

- Isn't it easier to copy the continent of that file,modify it as per your need then save it for example in "persistence opt" /opt/myfirewall.sh and add a new line to bootlocal.sh to run it every-time at startup?

You could do that.