Re: /etc/init.d/iptables
Hi:
On Tue, Aug 11, 2009 at 12:21 AM, Ivan Shmakov<oneingray@gmail.com> wrote:
> FWIW, I've ended up using the init.d/ script below. The script
> is expected to run prior to ifupdown, so assuming the symbolic
> link to the latter is at /etc/rcS.d/S39ifupdown, this one needs
> to be symlinked at, say, /etc/rcS.d/S38iptables-is.sh
I apparently used /etc/network/if-pre-up.d (I can't remember the
reasoning why, but I guess it's useful to make sure you load the rules
prior to bringing the interfaces up, which means the rules will be
there once network connectivity is brought up)
A long time ago I wrote a blog article on the subject
http://www.debian-administration.org/article/Restoring_iptables_Automatically_On_Boot
Perhaps more interesting than that article is the discussion that
happened in the comments.
Hope this helps :-)
>
> The script is designed to be run from within the rcS.d sequence,
> and before ifupdown, so that it won't be:
>
> * run after some (all) interfaces are already up and insecure --
> the thing that happens if one sets the iptables up from within
> the /etc/network/interfaces pre-up or post-up options;
>
> * run several times at some (possibly random; consider, e. g.,
> hotplug devices) points of time, ruining the current firewall
> state along the way -- as it happens when one puts the script
> into /etc/network/if-up.d/ or /etc/network/if-pre-up.d/.
>
> The script does not try to save the firewall state at `stop' --
> one surely wants /not/ for some accident mistake made into the
> current state of the remote (as in ``several hundreds kilometers
> away'') host firewall to persist across reboots.
Agreed! That's the same approach I took wit my blog article.
>
> To summarize: the script runs just once, loading the firewall
> state before any of the interfaces are brought up. Since then,
> it does nothing.
>
> The location of the configuration file could be set via the
> default/ file (it's ok for it to be absent), like:
>
> $ cat /etc/default/iptables-is
> IPTABLES_CONF=/etc/network/iptables-my.conf
> $
>
> The configuration file is expected to be the output of
> iptables-save(8). The current state could be saved like:
>
> # iptables-save > /etc/network/iptables.conf
> #
>
> $ cat iptables-is.sh
> #!/bin/sh
> ### BEGIN INIT INFO
> # Provides: iptables-is
> # Required-Start: mountkernfs
> # Required-Stop:
> # Default-Start: S
> # Default-Stop:
> # Short-Description: Load the iptables configuration from the conf. file.
> # X-Start-Before: ifupdown
> ### END INIT INFO
>
> ## NB: This script should be `start'ed before `ifupdown'. It makes no
> ## sense to stop it at any time.
>
> set -e
>
> IPTABLES_RESTORE=/sbin/iptables-restore
> test -x "$IPTABLES_RESTORE" || exit 0
>
> . /lib/lsb/init-functions
>
> MYNAME="${0##*/}"
> PATH=/sbin:/bin
> test -r /etc/default/iptables-is && . /etc/default/iptables-is
> : ${IPTABLES_CONF:=/etc/network/iptables.conf}
>
> ## NB: should probably support `status' as well.
>
> case "$1" in
> (start | restart | force-reload)
> exitcode=0
> log_begin_msg "Restoring IP tables..."
> if ! "$IPTABLES_RESTORE" < "$IPTABLES_CONF" ; then
> log_action_cont_msg "(failed)"
> exitcode=2
> fi
> log_end_msg "$exitcode"
> exit "$exitcode"
> ;;
>
> (stop)
> exit 0
> ;;
>
> (*)
> echo "Usage: $0 {start|stop|restart|force-reload}" >&2
> exit 3
> ;;
> esac
>
> ### iptables-is.sh ends here
> $
>
> --
> FSF associate member #7257
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: