Re: /etc/init.d/iptables
FWIW, I've ended up using the init.d/ script below. The script
is expected to run prior to ifupdown, so assuming the symbolic
link to the latter is at /etc/rcS.d/S39ifupdown, this one needs
to be symlinked at, say, /etc/rcS.d/S38iptables-is.sh
The script is designed to be run from within the rcS.d sequence,
and before ifupdown, so that it won't be:
* run after some (all) interfaces are already up and insecure --
the thing that happens if one sets the iptables up from within
the /etc/network/interfaces pre-up or post-up options;
* run several times at some (possibly random; consider, e. g.,
hotplug devices) points of time, ruining the current firewall
state along the way -- as it happens when one puts the script
into /etc/network/if-up.d/ or /etc/network/if-pre-up.d/.
The script does not try to save the firewall state at `stop' --
one surely wants /not/ for some accident mistake made into the
current state of the remote (as in ``several hundreds kilometers
away'') host firewall to persist across reboots.
To summarize: the script runs just once, loading the firewall
state before any of the interfaces are brought up. Since then,
it does nothing.
The location of the configuration file could be set via the
default/ file (it's ok for it to be absent), like:
$ cat /etc/default/iptables-is
IPTABLES_CONF=/etc/network/iptables-my.conf
$
The configuration file is expected to be the output of
iptables-save(8). The current state could be saved like:
# iptables-save > /etc/network/iptables.conf
#
$ cat iptables-is.sh
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables-is
# Required-Start: mountkernfs
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description: Load the iptables configuration from the conf. file.
# X-Start-Before: ifupdown
### END INIT INFO
## NB: This script should be `start'ed before `ifupdown'. It makes no
## sense to stop it at any time.
set -e
IPTABLES_RESTORE=/sbin/iptables-restore
test -x "$IPTABLES_RESTORE" || exit 0
. /lib/lsb/init-functions
MYNAME="${0##*/}"
PATH=/sbin:/bin
test -r /etc/default/iptables-is && . /etc/default/iptables-is
: ${IPTABLES_CONF:=/etc/network/iptables.conf}
## NB: should probably support `status' as well.
case "$1" in
(start | restart | force-reload)
exitcode=0
log_begin_msg "Restoring IP tables..."
if ! "$IPTABLES_RESTORE" < "$IPTABLES_CONF" ; then
log_action_cont_msg "(failed)"
exitcode=2
fi
log_end_msg "$exitcode"
exit "$exitcode"
;;
(stop)
exit 0
;;
(*)
echo "Usage: $0 {start|stop|restart|force-reload}" >&2
exit 3
;;
esac
### iptables-is.sh ends here
$
--
FSF associate member #7257
Reply to: