# Problem with iptables at boot-up

## nomind

Hello,

I've been experiencing a strange and rather annoying situation with my iptables rules. I had initially set the rules with Guarddog, and they worked fine. Problem is, even though I did an iptables-save, there seems to be something wrong with iptables upon a fresh boot. I can ping servers just fine, but I can't browse the web (progress bar gets stuck at "Connecting to ..." and after 30 sec or so says it can't reach the specified server). If I run Guarddog and apply the rules once again, it works perfectly. Hence, I'm forced to run Guarddog every single time I boot my computer.

Anyone have a clue what the problem could be?

Thanks a million

P.S: I'm using dhcpcd.

----------

## Centinul

I have the SAME EXACT problem except I don't use Guarddog I just have script that I wrote for iptables. I have to start the script everytime the computer boots to get internet to work even though I did the iptables-save and iptables starts on boot.

----------

## nomind

Centinul, I suggest this as a temporary solution, but you can put your script in the startup-script directory and doing a rc-update (or cron, whatever floats your boat). I have temporarily mitigated my problem by rewriting my rules from scratch and removing those bloody extra chains, but I have to set the default OUTPUT policy to ACCEPT (don't know if this is a security issue or not). I have tried in vain to set the default policy to DROP but that makes browsing impossible.

Anyway, power to you!

----------

## rtyall

 *nomind wrote:*   

> Hello,
> 
> I've been experiencing a strange and rather annoying situation with my iptables rules. I had initially set the rules with Guarddog, and they worked fine. Problem is, even though I did an iptables-save, there seems to be something wrong with iptables upon a fresh boot. I can ping servers just fine, but I can't browse the web (progress bar gets stuck at "Connecting to ..." and after 30 sec or so says it can't reach the specified server). If I run Guarddog and apply the rules once again, it works perfectly. Hence, I'm forced to run Guarddog every single time I boot my computer.
> 
> Anyone have a clue what the problem could be?
> ...

 

I've got exactly this problem, I used guarddog to set up the iptables and save the script. I've tried deleting the iptables configs, altered settings and removed zones in guarddog, etc.

I guess I'm gonna have to get rid of guarddog and just run iptables normally.

----------

## jpl888

Shorewall works well and is easy to setup (especially with webmin), maybe you should try that instead.

----------

## rtyall

Aye, I may well give it a try.

I do like using GUIs on my gentoo box however, as I'm using an old TV as the monitor so the resolution's a bit poor and viewing text is taxing on the eyes.

kmyfirewall looks nice and simple, so think that's my next port of call.

Cheers.

----------

## jpl888

Yes well ahem Webmin is a GUI and you can configure more than just the firewall with it.

----------

## rtyall

It looks quit good, I'll have a go at that one then.

Thanks.

----------

## okram

Just in case others still come across this problem. I also experienced it, and found in other threads and by googling that the /etc/rc.firewall script that is automatically created by guarddog contains not just the rules that you can save with /etc/init.d/iptables save or iptables save (those contained in /var/lib/iptables/rules-save), but also loads modules as necessary and performs other helpful magic. ($ less /etc/rc.firewall if you want to check details...)

There are of course many ways of running this script at boot-up. In gentoo, one (I believe quite elegant) way of doing this is to edit the postup function in /etc/conf.d/net as follows:

```
postup() {

        # Run /etc/rc.firewall to active guarddog every time an network is brought up.

        . /etc/rc.firewall

        return 0

}

```

Hope this helps.

Edit: If you use the guarddog generated script it will start iptables. Remove the (now redundant) /etc/init.d/iptables script from the relevant runlevels, e.g. 

```
rc-update del iptables default wifi
```

----------

## nomind

@ okram: Dude, you're 1337! That IS elegant, and it works like a charm too. Thanks a lot!

@ other helpful posters: I've tried shorewall already, and I must say it gave me nightmares back during my Mandrake 10.0 days (back when it was still called "Mandrake", but that's not too long ago!). As far as kmyfirewall is concerned, it's really nice, but still no match for Guarddog IMO. I recall emerging Webmin a while back, and 'slocate webmin' shows a service in my '/etc/init.d' folder but nothing that suggests a graphical front-end (maybe I need to emerge that separately, but I'm boneheaded that way). 

Thanks to everyone for the suggestions, I'm glad this annoying issue has finally been settled.

----------

## Centinul

After all this time I finally found what the actual problem was and found the correct solution too  :Smile: . I was messing with my firewall the other day and come to find out that every time it booted up it set ip_forward=0 by default. I had to re-run my script inorder to reset the ip_forward=1. Come to find out there is a file where all these settings can be configured. It is /etc/sysctl.conf. This file contains a line right in the beginning for ip_forward. I set that to 1, rebooted and VOILA my firewall worked without having to use the script. I was so pleased. I'm just putting my solution here so anyone else with issues can read it. Hope this helps. It makes me really happy!!!!  :Smile: 

----------

## dan_aka_jack

Great work.  Thanks loads for coming back and reporting your findings.

----------

