Re: proper place for iptables script

To: debian-user@lists.debian.org
Subject: Re: proper place for iptables script
From: Siggy Brentrup <debian@psycho.i21k.de>
Date: Wed, 29 Jul 2009 07:46:31 +0200
Message-id: <[🔎] 20090729054631.GF4041@keuner.winnegan.fake>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 200907282223.21809.reidac@bellatlantic.net>
References: <[🔎] 20090729020420.GD14595@aurora.owens.net> <[🔎] 200907282223.21809.reidac@bellatlantic.net>

On Tue, Jul 28, 2009 at 22:23 -0400, Andrew Reid wrote:
> On Tuesday 28 July 2009 22:04:20 Rob Owens wrote:
> > In the interest of learning new things, I'm moving from shorewall to plain
> > old iptables.  I've got my script made, but I'm not sure what the proper
> > procedure is for starting it automatically at boot.  Is there a "Debian
> > way" to do this?
> 
>   What I do, which is Debian-compatible (i.e. the package manager
> won't break it) but may or may not be the Debian way, is to save
> the config to a file with iptables-save, and then load it at
> interface-start-time by putting a script in /etc/network/if-pre-up.d,
> which uses "iptables-restore" to set the firewall from the file
> you saved with iptables-save.
> 
>   One advantage of this is that you can make changes by editing 
> the saved file (it's a simple plain-text file), and implement
> your changes just by cycling the network device, i.e. you don't 
> have to do a full reboot just for a firewall edit.

+1

>   I recall reading an argument for why starting the firewall at boot is
> both different and worse than starting it at interface-start-time,
> but I didn't really understand it.  I'm personally kind of pedantic,
> and find the "network things happen when the network changes state" 
> thing aesthetically pleasing, and enjoy the small practical advantage
> I already mentioned.

Since you don't give a reference, I can only guess wildly :-( As a
general rule when an interface comes up the firewall must be in place
to block malicious packets.  

With dynamic IP addresses the usual way is to accept any destination
IP on that interface, say ppp0.  Assuming you chose DROP as policy in
all chains there is a better way by deferring iptables-restore to when
your LOCALIP is known.
  
 - Save your rules to a file, say /root/fw-template,
 - edit that file replacing ppp0 0.0.0.0 combinations
   with ppp0 LOCALIP
 - in post-up run
   sed -e "s/LOCALIP/$PPP_LOCAL/" /root/fw-template | iptables-restore
   ($PPP_LOCAL is from the top of my head, maybe it's named differently)

This way you'll filter a lot more of the cruft m$ boxes are sending you.
Logs fill up much quicker here.

My 2¢
  Siggy
-- 
Please don't Cc: me when replying, I might not see either copy.
               bsb-at-psycho-dot-informationsanarchistik-dot-de
               or:                bsb-at-psycho-dot-i21k-dot-de
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: proper place for iptables script
  - From: Javier Barroso <javibarroso@gmail.com>

References:
- proper place for iptables script
  - From: Rob Owens <rowens@ptd.net>
- Re: proper place for iptables script
  - From: Andrew Reid <reidac@bellatlantic.net>

Prev by Date: Re: How does linux read menu.1st
Next by Date: Re: Musings on debian-user list
Previous by thread: Re: proper place for iptables script
Next by thread: Re: proper place for iptables script
Index(es):
- Date
- Thread