CRAB server firewall.iptables now fixed, so it will restart without a reboot.

For those of you familiar with my Linux server, y’all know that I run many custom BASH, Perl, and Python scripts.  We are going to discuss today my iptables firewall script, or actually the fact that I took the time to repair it.   Since upgrading the server to Fedora 20 in September 2014, my firewall script would start fine, but would choke on restarting, reloading, or running it over itself.  The end result would be that the server would sever all ports with the outside, effectively taking it down, needing a reboot to get it back online.  This was a real PITA, since I couldn’t really make any changes to the firewall without reboot.  I thought it was an end result of the OS changing from SysV init scripts to a systemd system.  How wrong I was….  The cause was simply a typo that I made while adding a feature, and a ‘done’ without a ‘while’ and a ‘fi’ without an ‘if’ stopped the script from accepting the restart and reload argument.  Most of the iptables rulesets were created before this typo, so it gave the ‘appearance’ that it was working properly.  Debugging a script of this size is a fairly daunting task, as the main firewall script is a healthy 50 pages, and its configuration file (one of a half dozen helper files) is about 7 pages long.  Since I’ve had a few questions about this firewall, I’ll share it with everybody…..

Download links are only viewable to logged in users.  All the other helper files, as well as these are all available upon request.  If you are a logged in user, and downloading these files, remove the .txt extension from the config and main files….

This is the screen information if the VERBOSE variable is set to 1 (Select the pop-out gadget to see this properly formatted)

Loader Loading...
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

This is the configuration file that allows for easy firewall config.     (Select the pop-out gadget to see this properly formatted)

Loader Loading...
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

This is the MAIN iptables firewall script that should be run at start.  (Select the pop-out gadget to see this properly formatted)

Loader Loading...
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

All in all, it was a fairly productive week off.  I have a few other minor syntax errors to chase down, but the firewall is operating within normal parameters…..

 

Leave a Reply