Re: /etc/init.d/iptables

To: debian-firewall@lists.debian.org
Subject: Re: /etc/init.d/iptables
From: Ivan Shmakov <oneingray@gmail.com>
Date: Tue, 11 Aug 2009 16:01:37 +0700
Message-id: <873a7y67wu.fsf@violet.siamics.int>
References: <87ocqn6a95.fsf@violet.siamics.int> <87fxbz56b7.fsf@violet.siamics.int> <d1b732a70908102133x2ee99743j3a9dece7a200ad18@mail.gmail.com> <e9b19f2f0908102218k6c0cda09x8714e3dbc1c03f98@mail.gmail.com> <877hxa6fj9.fsf@violet.siamics.int> <e9b19f2f0908110015l552bc5a5o42c81771d63bdd82@mail.gmail.com>

>>>>> Kinglok, FONG <busywater@gmail.com> writes:
>>>>> Ivan Shmakov <oneingray@gmail.com> wrote:
>>>>> Kinglok, FONG <busywater@gmail.com> writes:
>>>>> Jonathan Yu <jonathan.i.yu@gmail.com> wrote:

 >> Thank you Jonathan for writing the nice blog article and it works.
 >> But it requries some customization in debian Lenny.

 >> For some reason, the script in /etc/network/if-pre-up.d/ doesn't
 >> load up by default.

 > Did you set the execute permission on the script?

 > # chmod +x /etc/network/if-pre-up.d/SCRIPTNAMEHERE

 > Sure.  However, Lenny doesn't load the scripts.

	Sounds like Debian Bug#540123?

http://bugs.debian.org/540123

 >>> I apparently used /etc/network/if-pre-up.d (I can't remember the
 >>> reasoning why, but I guess it's useful to make sure you load the
 >>> rules prior to bringing the interfaces up, which means the rules
 >>> will be there once network connectivity is brought up)

 >> You have to explicitly call it from /etc/network/interfaces like:

 >> auto eth0
 >> iface eth0 inet static
[...]
 >>         pre-up /etc/network/if-pre-up.d/iptables

 > It somewhat defeats its advantage of /not/ having it mentioned
 > for each of the host's interfaces.

 > In my case, the gateway got three NICs, one for internet, one for DMZ
 > and one for LAN inside.  Loading the iptables once is enough for all.

	Yes.

 > So, one instance of

 > pre-up /etc/network/if-pre-up.d/iptables

 > is enough.

	The point here is that it doesn't feel quite The Right Way, at
	least to me.

	First of all, the `pre-up' command is going to be run prior to
	bringing this particular interface up.  Other interfaces may get
	set up earlier, and won't be protected with the firewall until a
	bit later.

	Second, it makes the configuration somewhat fragile.  Consider,
	e. g., that the administrator, for whatever reason, removes the
	interface referencing the iptables script from the `auto' list,
	like:

- auto eth0 eth1 eth2 .. ethN-1 ethN ethN+1 ...
+ auto eth0 eth1 eth2 .. ethN-1 ethN+1 ...
  iface eth0 inet static
      ...
  iface eth1 inet static
      ...
  iface eth2 inet static
      ...
  iface ethN inet static
      ...
      pre-up /whatever/iptables
  ...

	This change, while having nothing to do with the pre-up option,
	effectively disables firewall for /all/ the interfaces, which
	may be surprising.

	While this particular case is probably of minor importance, the
	particular mind pattern behind it seems to me harmful.

-- 
FSF associate member #7257

Reply to:

References:
- /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Jonathan Yu <jonathan.i.yu@gmail.com>
- Re: /etc/init.d/iptables
  - From: "Kinglok, FONG" <busywater@gmail.com>
- Re: /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: "Kinglok, FONG" <busywater@gmail.com>

Prev by Date: Re: /etc/init.d/iptables
Next by Date: Re: Building network
Previous by thread: Re: /etc/init.d/iptables
Next by thread: Re: /etc/init.d/iptables
Index(es):
- Date
- Thread