Re: proper place for iptables script
On Tuesday 28 July 2009 22:04:20 Rob Owens wrote:
> In the interest of learning new things, I'm moving from shorewall to plain
> old iptables. I've got my script made, but I'm not sure what the proper
> procedure is for starting it automatically at boot. Is there a "Debian
> way" to do this?
What I do, which is Debian-compatible (i.e. the package manager
won't break it) but may or may not be the Debian way, is to save
the config to a file with iptables-save, and then load it at
interface-start-time by putting a script in /etc/network/if-pre-up.d,
which uses "iptables-restore" to set the firewall from the file
you saved with iptables-save.
One advantage of this is that you can make changes by editing
the saved file (it's a simple plain-text file), and implement
your changes just by cycling the network device, i.e. you don't
have to do a full reboot just for a firewall edit.
I recall reading an argument for why starting the firewall at boot is
both different and worse than starting it at interface-start-time,
but I didn't really understand it. I'm personally kind of pedantic,
and find the "network things happen when the network changes state"
thing aesthetically pleasing, and enjoy the small practical advantage
I already mentioned.
Andrew Reid / firstname.lastname@example.org