Delaying Iptable rules (MASQUERADE) until eth0 is UP

[Ellus]

Hello there,

I created IPtables (including MASQUERADE) rules and saved it in a script to get it executed on startup by adding its record to bootlocal.sh.
Now the Internet interface eth0 is not getting up until I execute : 

Code: [Select]

sudo ifconfig eth0 up, only then all works fine.
P.S: eth0 getting up ok when I start the machine without the IPtables rules script.
I think IPtables script  execution should be delayed until etho is up ( something like putting it in /etc/network/if-up.d/ in Debian ).
Please, let me know how to do that in TLC?

Code: [Select]

# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

[curaga]

Put a sleep before it in bootlocal.sh, or poll for the network state, many other ways.

[Ellus]

Thank you

[gerald_clark]

CentOS starts iptables before starting the network.
This is to ensure that there is no period during startup that there is no firewall in effect.
I would recommend you do the same.

[hiro]

Can anybody explain why the NIC is not getting up after these rules (I use the same on my router btw ) ?

[Ellus]

Can anybody explain why the NIC is not getting up after these rules (I use the same on my router btw ) ?

Hi Hiro,
As you can see from the code below I've changed the place of (echo 1 > /proc/sys/net/ipv4/ip_forward) to be before IPtables rules.
It's working now just fine, I don't know whether this could be the reason or something else.
Let me know please once you try it.

Code: [Select]

#!/bin/sh
# Begin basic-firewall
#
# This is a very basic firewall for normal users.
# It blocks all incoming traffic, allows all outgoing,
# and only allows incoming stuff when you started it (ie browsing)

# Insert connection-tracking modules
modprobe -q iptable_nat
modprobe -q nf_conntrack_ipv4
modprobe -q nf_conntrack_ftp
modprobe -q ipt_LOG

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth1 -j REJECT


[hiro]

I'm just interested, not affected.

It could be a bug in tinycore.
Would you please look at the /etc/init.d/dhcp.sh file and try it one line at a time, especially the ifconfig $DEVICE | grep -q "inet addr" line.

[Ellus]

I'm just interested, not affected.

It could be a bug in tinycore.
Would you please look at the /etc/init.d/dhcp.sh file and try it one line at a time, especially the ifconfig $DEVICE | grep -q "inet addr" line.

Out of about 18 reboots 4 times eth0 did not get up, but if you wait for 2-3 minutes it gets up on its own and then gets an IP.
The dhcpc part of dhcp.sh keeps pending until  eth0 gets up then it gets an IP as 

Code: [Select]

ifconfig $DEVICE | grep -q "inet addr" returns 1..
I hope my interpretation of the whole process is correct

[hiro]

Then I still don't understand why the place of echo 1 > /proc/sys/net/ipv4/ip_forward should be in any way related to that problem.

[Ellus]

Then I still don't understand why the place of echo 1 > /proc/sys/net/ipv4/ip_forward should be in any way related to that problem.

If we both understand my last post then obviously it has nothing to do with it