Re: /etc/init.d/iptables

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Ivan Shmakov a écrit :
> 
> 	Strangely, I cannot find where these directories are documented.
> 	Could you provide a pointer, please?

The 'interfaces' manpage contains some information about
/etc/network/if-*.d directories and exported variables. There are also
some examples in /usr/share/doc/ifupdown/examples/.

>>> ... Also, is there any good reason to change the firewall
>>> configuration as the interfaces are brought up and down at all?
>> 
>> Yes, when iptables rules need some parameters such as interface name,
>> address... which are variable.
> 
> 	Any particular example to consider?
> 
>> This is rather common for PPP interfaces.
> 
> 	Well, yes, though I'd consider using the `unit' pppd(8) option
> 	to fix the interface name once and for all.

"unit" is not always enough. An example is a PPP server which accepts
multiple clients simultaneously and gives each one a different address.
A script in /etc/ppp/ip-up.d/ can use the interface name and the remote
address to block IP spoofing by clients :

iptables -A FORWARD -i $PPP_IFACE -s ! $PPP_REMOTE -j DROP

Another example is when an interface gets a dynamic address and you want
 to create a DNAT rule that matches only on that address :

iptables -t nat -A PREROUTING -d $PPP_LOCAL -p tcp --dport <port> \
  -j DNAT --to <server>:<port>

You cannot do that with a static ruleset.