[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /etc/init.d/iptables

	FWIW, I've ended up using the init.d/ script below.  The script
	is expected to run prior to ifupdown, so assuming the symbolic
	link to the latter is at /etc/rcS.d/S39ifupdown, this one needs
	to be symlinked at, say, /etc/rcS.d/S38iptables-is.sh

	The script is designed to be run from within the rcS.d sequence,
	and before ifupdown, so that it won't be:

	* run after some (all) interfaces are already up and insecure --
	  the thing that happens if one sets the iptables up from within
	  the /etc/network/interfaces pre-up or post-up options;

	* run several times at some (possibly random; consider, e. g.,
          hotplug devices) points of time, ruining the current firewall
          state along the way -- as it happens when one puts the script
          into /etc/network/if-up.d/ or /etc/network/if-pre-up.d/.

	The script does not try to save the firewall state at `stop' --
	one surely wants /not/ for some accident mistake made into the
	current state of the remote (as in ``several hundreds kilometers
	away'') host firewall to persist across reboots.

	To summarize: the script runs just once, loading the firewall
	state before any of the interfaces are brought up.  Since then,
	it does nothing.

	The location of the configuration file could be set via the
	default/ file (it's ok for it to be absent), like:

$ cat /etc/default/iptables-is 
IPTABLES_CONF=/etc/network/iptables-my.conf
$ 

	The configuration file is expected to be the output of
	iptables-save(8).  The current state could be saved like:

# iptables-save > /etc/network/iptables.conf 
# 

$ cat iptables-is.sh 
#!/bin/sh
### BEGIN INIT INFO
# Provides:           iptables-is
# Required-Start:     mountkernfs
# Required-Stop:
# Default-Start:      S
# Default-Stop:
# Short-Description:  Load the iptables configuration from the conf. file.
# X-Start-Before:     ifupdown
### END INIT INFO

## NB: This script should be `start'ed before `ifupdown'.  It makes no
##     sense to stop it at any time.

set -e

IPTABLES_RESTORE=/sbin/iptables-restore
test -x "$IPTABLES_RESTORE" || exit 0

. /lib/lsb/init-functions

MYNAME="${0##*/}"
PATH=/sbin:/bin
test -r /etc/default/iptables-is && . /etc/default/iptables-is
: ${IPTABLES_CONF:=/etc/network/iptables.conf}

## NB: should probably support `status' as well.

case "$1" in
    (start | restart | force-reload)
        exitcode=0
        log_begin_msg "Restoring IP tables..."
        if ! "$IPTABLES_RESTORE" < "$IPTABLES_CONF" ; then
            log_action_cont_msg "(failed)"
            exitcode=2
        fi
        log_end_msg "$exitcode"
        exit "$exitcode"
        ;;

    (stop)
        exit 0
        ;;

    (*)
        echo "Usage: $0 {start|stop|restart|force-reload}" >&2
        exit 3
        ;;
esac

### iptables-is.sh ends here
$ 

-- 
FSF associate member #7257
Reply to: