iptables startup script for Kimsufi / OVH

The command service iptables save does not seem to work on Kimsufi and OVH dedicated servers.

They have a help page for these issues. It all boils down to creating an init.d startup script.

Here is a basic script, which opens only port 22 outwards for SSH.

#!/bin/sh
# chkconfig: 3 21 91
# description: Firewall

IPT=/sbin/iptables

case "$1" in
start)
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP

# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 4711 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

# Accept inbound ICMP messages
$IPT -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT
exit 0
;;

stop)
$IPT -F INPUT
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esa

Save this script as iptables-config (no file ending).

Now we will copy the script to /etc/init.d and enable automatic startup of the script at boot. Finally, a reboot:

chmod 700 /etc/init.d/
chkconfig iptables-config on
service iptables-config start
shutdown -r now

Now run:

iptables -L

You should see the iptables chains no longer being empty after your reboot.

Great success!

PS. The rules were generated with the excellent Mista.nu Iptables script generator. Defunct

Leave a Reply

Your email address will not be published. Required fields are marked *

Markdown is allowed in comments.