RE: Auto starting iptables

To: Lance Levsen <l.levsen@printwest.com>, 'Tzafrir Cohen' <tzafrir@technion.ac.il>
Cc: John Mautz <jmautz@home.com>, "debian-firewall@lists.debian.org" <debian-firewall@lists.debian.org>, "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: RE: Auto starting iptables
From: Stefan Srdic <linuxbox@telusplanet.net>
Date: Sat, 24 Nov 2001 16:40:23 -0700
Message-id: <[🔎] 01C17506.BA632D80@edtn009327.hs.telusplanet.net>

----------
From: 	Tzafrir Cohen[SMTP:tzafrir@technion.ac.il]
Sent: 	Friday, November 23, 2001 12:23 PM
To: 	Lance Levsen
Cc: 	John Mautz; debian-firewall@lists.debian.org; debian-user@lists.debian.org
Subject: 	Re: Auto starting iptables 

On Thu, 22 Nov 2001, Lance Levsen wrote:

> make an iptables script in /etc/init.d/iptables
> chmod 755 this file
>
> run $ update-rc.d iptables defaults 10 (not sure about this
> syntax, read the manpage.)

Note, however, that this script will be called again before you shut down
the computer (since K??rc.firewall will probably be created in both rc6.d
[reboot] and rc0.d [halt]) . In most cases there is nothing wrong with
running this script again before shutting down the interface.

Note that according to the debin policy, an init.d script should be able
to accept 'start', 'stop' and 'restart' as parameters and act accordingly.
There's nothing wrong with deviating from the debian policy for your
personal system, but then it is your job to guarantee that things still
work properly. Also see a message by me from a couple of weeks ago as to
why a 'real' init.d firewall script is a good idea.

Also note that debian made a strange (IMHO) decision to start networking
in the very first stage of the startup scripts: in rcS.d (see
/etc/rcS.d/README) . This means that if you have a network interface that
is configured through dhcp, then when you boot in 'single', that interface
is up, and the dhcp client is connecting to the daemon to accept
configuration (or stuck for 1/2 a minute if the network configuration is
screwed up)

(for those cases you have INIT=/bin/bash , but you should be careful with
that one, as it is easy to forget a filesystem mounted before you reboot)

This means that if you want to run a script before the network is up, you
have to put it in the very first stages of rcs.d .

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir

Just edit the /etc/init.d/networking rc script and make your iptables script executable from there. That way, when you stop networking services you can clear your firewall rules or reset them.

Stef

Reply to:

Prev by Date: bash/read built-in function
Next by Date: Re: tar conflicts with cpio
Previous by thread: Re: Auto starting iptables
Next by thread: Re: info i found !!
Index(es):
- Date
- Thread