# Iptables script making and startup

## TMD3

Okay i have this little iptables command that is supposed to block all incomming that I do not initiate and let me connect to all.  Something like that I hope.  It is

/sbin/iptables -A INPUT -p tcp --syn -j DROP

Okay the question is how do I incorporate that into a script and how can I automatically start it up when Gentoo boots up.

----------

## snoopey

Add it to your /etc/conf.d/local.start-script

----------

## autoxv6

or you could make your own script in /etc/init.d, rc-update add myscript default, and then it will start everytime also without cluttering your local script. read the howto on the main gentoo.org site.

----------

## ProGuy

Such firewall scripts, should actually be started as close as possible to the actual upbringing of the network device. The best thing (if possible), would to have everything blocked the moment the device goes up, and then run a script which opens the necesarry (on trusted LANs this could just open up everything).

It would indeed be nice, to have an firewall script located in /etc/conf.d, or /etc/security, or even have a firewall directory, which runs each script in it like /etc/firewall.d. 

Am I completely wrong in desiring such a feature?

----------

## autoxv6

youre absolutely correct.

make all your service script need the firewall script like ive done  :Smile: 

----------

## ProGuy

 *autoxv6 wrote:*   

> 
> 
> make all your service script need the firewall script like ive done 

 

Hehe, I never though about that.

But still, it would be nice, to have native way of doing it, since network security is very important, even (or maybe especially) for small servers.

Question is, if someone is developing this allready, or should I just try to make a suggestion to how this can be archieved (and get beaten to death because it's a lousy way   :Wink:  )

----------

## Crg

 *ProGuy wrote:*   

> Such firewall scripts, should actually be started as close as possible to the actual upbringing of the network device.

 

The iptables rules can actually be run before the network device is up, so you should run your firewall script before the any network devices are brought up, (its abit tricky if the firewall relies on needing to do DNS entries, or in the case of mine reading a list of IP addresses to block off a remote website (http://www.spews.org/packetreject.html)).

----------

