Iptables question

[chthon]

I'm trying to set up my system such that when it reboots (intentionally or not) my webserver starts running again without my intervention.  I'm running my Guruplug Standard as an ethernet client. As things are set up currently when I reboot port 80 (on which Apache is set up to listen) is not open to connections.

Code:

chris@plug:~$ sudo iptables -L
[sudo] password for chris:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere           

So I have to run

Code:

sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

and then restart Apache before I can start serving pages.
I would have thought that all I need to do to make sure that port 80 is opened on a reboot is to edit /root/init_setup.sh so it contains the line

Code:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

but this doesn't work.  I've tried also

Code:

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

Any suggestions for how I can make sure port 80 stays open on reboot? Thanks.

[Confusticated]

Are you remembering to also add the Apache restart to the script ?
Check to make sure nothing else is changing the tables after '/root/init_setup.sh' has been run (what added fail2ban-ssh).

[chthon]

The Apache restart is what I was missing. Thanks so much.  It works!

[I'm not sure why though. Does iptables -L only shows a port as open if there is a service listening on it?  If so, presumably Apache is started on boot before the /root/init_setup.sh is run.  It finds port 80 closed and stops; /root/init_setup.sh is called subsequently, opens up port 80 and then you need to restart apache afterwards in /root/init_setup.sh]

[Confusticated]

Globalscale did not set the plug up correctly to begin with, you have inherited a mess, your (many peoples) whole setup is flawed.
Keeping system modules\firmware\startup scripts in /root/ breaks conventions (and inter-system compatibility/operability).

The iptables listing you posted blocks nothing ?!? there is no (current) requirement for your iptables rule if the listing given is the correct one.
'iptables -L' only lists the tables, it knows nothing of services or ports (see 'netstat' for that).
Port 80 must be 'closed', or Apache will not be able to 'open' it (iptables does not open or close ports, be careful of terminology).

Apache is most likely failing to start (the apache log would be the place to look).

[chthon]

Grrrr! I feel so stupid. Now you tell me, it is obvious that my iptables rules basically allow all connections.  I really must actually READ the output of commands rather than jump to conclusions.
Not restarting Apache properly must be the problem, not iptables rules.  Apache is set run at startup (I checked using the rcconf tool) so not sure why I need to restart it in init_setup.sh but there you go.  Thanks for clarifying.