Paul Cartwright wrote: > Bob Proulx wrote: > > I think you did put that in there. It has that look. As to whether > > it /should/ be there... well *I* wouldn't put it there. :-) I think > > that type of reloading belongs elsewhere such as in an if-up.d/* > > script. But I don't know about your firewall setup. I could guess > > something like this in /etc/network/if-up.d/local-firewall using your > > current config as a template. > > I just googled it and found this: > http://www.linuxquestions.org/questions/ubuntu-63/where-is-iptables-config-file-584024/ > > There's no default. You can set your iptables config anywhere you want. > Add a "pre-up" line to your //etc/network/interfaces/ file, calling > the/iptables-restore/ command. Say you choose //etc/example.txt/ - in > your //etc/network/interfaces/ file you'd have a line like: > Code: > > pre-up iptables-restore < /etc/example.txt > This loads the iptables config before the network interfaces are put > online. BTW, make sure you never edit your config file manually. > Populate it with a /iptables-save/ command, like: > Code: > > iptables-save > /etc/example.txt But in that case I think the intention would be to associate it with the eth* device and not the lo device. To be clear you had: auto lo iface lo inet loopback pre-up iptables-restore < /etc/firewall-rules I was going "ew..." about having it associated in time with the lo device coming online. If you move that down to the eht0 device then I wouldn't have made that comment. I mean something like this from your example: auto eth0 iface eth0 inet static address 192.168.10.2 netmask 255.255.255.0 dns-nameservers 4.2.2.3 208.67.222.222 208.67.220.220 4.2.2.2 192.168.10.1 gateway 192.168.10.1 pre-up iptables-restore < /etc/firewall-rules Associated with the eth0 device that looks okay to me. I would move it from the lo device to the eth0 device. The example you referenced didn't say specifically which device to associate it with and so left that part as an exercise to the reader. Also it isn't required but I think it looks a lot easier to read if the associated parts are indented. This is also as shown in the interfaces documentation. man interfaces Indented more like this would be nice. auto eth0 iface eth0 inet static address 192.168.10.2 netmask 255.255.255.0 dns-nameservers 4.2.2.3 208.67.222.222 208.67.220.220 4.2.2.2 192.168.10.1 gateway 192.168.10.1 pre-up iptables-restore < /etc/firewall-rules The reason it is working for you associated with the lo device is that both lo and eth0 are coming online at the same time because both are configured for you as 'auto' devices. Therefore they come online at boot time with '/etc/init.d/networking start'. So I assume that it is working, I am not saying it is not. But if you were to manipulate lo and eth0 individually for any reason then the pre-up would be reloaded when you restarted lo but not for eth0. That is the part that seemed odd to me. Because I would think the firewall rules would be tied to eth0 and you would want to load them when eth0 comes online. Of course once in totality at system boot time might be just fine for you too. Or maybe you do only want the firewall rules loaded when lo comes online. But it seemed odd and so I commented about it. YMMV. Bob
Attachment:
signature.asc
Description: Digital signature