WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Delaying Iptable rules (MASQUERADE) until eth0 is UP  (Read 4779 times)

Offline Ellus

  • Newbie
  • *
  • Posts: 11
Delaying Iptable rules (MASQUERADE) until eth0 is UP
« on: February 06, 2012, 02:05:08 PM »
Hello there,

I created IPtables (including MASQUERADE) rules and saved it in a script to get it executed on startup by adding its record to bootlocal.sh.
Now the Internet interface eth0 is not getting up until I execute : 
Code: [Select]
sudo ifconfig eth0 up, only then all works fine.
P.S: eth0 getting up ok when I start the machine without the IPtables rules script.
I think IPtables script  execution should be delayed until etho is up ( something like putting it in /etc/network/if-up.d/ in Debian ).
Please, let me know how to do that in TLC?

Code: [Select]
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
« Last Edit: February 06, 2012, 02:07:55 PM by Ellus »

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 10957
Re: Delaying Iptable rules (MASQUERADE) until eth0 is UP
« Reply #1 on: February 06, 2012, 11:28:38 PM »
Put a sleep before it in bootlocal.sh, or poll for the network state, many other ways.
The only barriers that can stop you are the ones you create yourself.

Offline Ellus

  • Newbie
  • *
  • Posts: 11
Re: Delaying Iptable rules (MASQUERADE) until eth0 is UP
« Reply #2 on: February 07, 2012, 11:40:50 AM »
Thank you

Offline gerald_clark

  • TinyCore Moderator
  • Hero Member
  • *****
  • Posts: 4254
Re: Delaying Iptable rules (MASQUERADE) until eth0 is UP
« Reply #3 on: February 07, 2012, 11:49:19 AM »
CentOS starts iptables before starting the network.
This is to ensure that there is no period during startup that there is no firewall in effect.
I would recommend you do the same.

Offline hiro

  • Hero Member
  • *****
  • Posts: 1217
Re: Delaying Iptable rules (MASQUERADE) until eth0 is UP
« Reply #4 on: February 07, 2012, 02:55:23 PM »
Can anybody explain why the NIC is not getting up after these rules (I use the same on my router btw ;)) ?

Offline Ellus

  • Newbie
  • *
  • Posts: 11
Re: Delaying Iptable rules (MASQUERADE) until eth0 is UP
« Reply #5 on: February 08, 2012, 03:52:50 AM »
Can anybody explain why the NIC is not getting up after these rules (I use the same on my router btw ;)) ?
Hi Hiro,
As you can see from the code below I've changed the place of (echo 1 > /proc/sys/net/ipv4/ip_forward) to be before IPtables rules.
It's working now just fine, I don't know whether this could be the reason or something else.
Let me know please once you try it.

Code: [Select]
#!/bin/sh
# Begin basic-firewall
#
# This is a very basic firewall for normal users.
# It blocks all incoming traffic, allows all outgoing,
# and only allows incoming stuff when you started it (ie browsing)

# Insert connection-tracking modules
modprobe -q iptable_nat
modprobe -q nf_conntrack_ipv4
modprobe -q nf_conntrack_ftp
modprobe -q ipt_LOG

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth1 -j REJECT

Offline hiro

  • Hero Member
  • *****
  • Posts: 1217
Re: Delaying Iptable rules (MASQUERADE) until eth0 is UP
« Reply #6 on: February 08, 2012, 04:04:17 AM »
I'm just interested, not affected.

It could be a bug in tinycore.
Would you please look at the /etc/init.d/dhcp.sh file and try it one line at a time, especially the ifconfig $DEVICE | grep -q "inet addr" line.

Offline Ellus

  • Newbie
  • *
  • Posts: 11
Re: Delaying Iptable rules (MASQUERADE) until eth0 is UP
« Reply #7 on: February 08, 2012, 08:36:12 AM »
I'm just interested, not affected.

It could be a bug in tinycore.
Would you please look at the /etc/init.d/dhcp.sh file and try it one line at a time, especially the ifconfig $DEVICE | grep -q "inet addr" line.
Out of about 18 reboots 4 times eth0 did not get up, but if you wait for 2-3 minutes it gets up on its own and then gets an IP.
The dhcpc part of dhcp.sh keeps pending until  eth0 gets up then it gets an IP as 
Code: [Select]
ifconfig $DEVICE | grep -q "inet addr" returns 1..
I hope my interpretation of the whole process is correct

Offline hiro

  • Hero Member
  • *****
  • Posts: 1217
Re: Delaying Iptable rules (MASQUERADE) until eth0 is UP
« Reply #8 on: February 08, 2012, 03:29:30 PM »
Then I still don't understand why the place of echo 1 > /proc/sys/net/ipv4/ip_forward should be in any way related to that problem.

Offline Ellus

  • Newbie
  • *
  • Posts: 11
Re: Delaying Iptable rules (MASQUERADE) until eth0 is UP
« Reply #9 on: February 08, 2012, 10:15:21 PM »
Then I still don't understand why the place of echo 1 > /proc/sys/net/ipv4/ip_forward should be in any way related to that problem.

If we both understand my last post then obviously it has nothing to do with it ;)