Re: iptables service with debian

To: debian-user@lists.debian.org
Subject: Re: iptables service with debian
From: Joe <joe@jretrading.com>
Date: Thu, 26 Apr 2012 22:38:25 +0100
Message-id: <[🔎] 20120426223825.498d08ea@jretrading.com>
Reply-to: joe@jretrading.com
In-reply-to: <[🔎] CAGWVfMmQK0uvzaF1jBGbG12Rzeq_O8Fszf=E-StvH8wgPLT-Cg@mail.gmail.com>
References: <[🔎] CAGWVfMmQK0uvzaF1jBGbG12Rzeq_O8Fszf=E-StvH8wgPLT-Cg@mail.gmail.com>

On Thu, 26 Apr 2012 14:13:28 +0500
Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:

> i run this command
> 
> iptables -t nat -A POSTROUTING -o eth1 -d 8.8.4.4 -j MASQUERADE
> 
> my client computers able to ping 8.8.4.4
> 
> but  when i "iptables --flush -t nat"  it clrear the table but my
> client can still ping the destination.
> i check "iptables-save" is shows that tables are empty.
>  i thought that there could be some kind of service related to iptable
>  in /etc/init.d  folder so that i can restart that but there are none.
> and i notices after 5 minutes or so my clients computer were not able
> to ping which means my commands affects after 5 minutes.
> 
> but i want prompt effect of every iptable command. is there any thing
> that can be done in this regard ? pls help
> 
> one more thing what could be done to retain all the iptable statements
> even after reboot. i think writing all the iptables command in
> rc.local
> is not a good idea. it is work around.
> 
> can any one plz help in this regard also.
> 

Iptables commands do work instantly, but state table entries may not
disappear until after their timeout. It has already been pointed out
that the MASQUERADE target is not appropriate for access control, so
you should not be too concerned if it does not work as you expect. If
you were to delete a real iptables access rule, there would be no delay.

I use iptables and its logging fairly regularly for troubleshooting,
which involves altering and repositioning rules to see what's going on,
and I know there is no delay after reloading the rules tables. If you
type an extra rule at a command prompt, it will work the instant you hit
return, assuming you have it right and it doesn't conflict with what
is already there. It's easier to add it to the script in the right
place, and reload the rules tables.

The usual way to organise iptables rules is to have a script that runs
as part of the boot sequence, usually also checking for the correct
modules, starting IP forwarding, etc. It isn't a workaround to run it
from an rc, how else do you think things are started on boot? If you
want something that looks like a daemon, it's not too hard to make a
start-stop script that will load and flush the iptables rules, check
which ruleset if any is currently running and generally work as a
pseudo-service. It's not something that Debian supplies, as a lot of
people prefer to use firewall applications rather than deal with raw
iptables rules.

-- 
Joe

Reply to:

Follow-Ups:
- Re: iptables service with debian
  - From: Muhammad Yousuf Khan <sirtcp@gmail.com>
- Re: iptables service with debian
  - From: Andrei POPESCU <andreimpopescu@gmail.com>

References:
- iptables service with debian
  - From: Muhammad Yousuf Khan <sirtcp@gmail.com>

Prev by Date: Re: Anyway of keeping gnome2 while upgrading from Squeeze to Wheezy
Next by Date: debian 6.0.4 DVD #2
Previous by thread: iptables service with debian
Next by thread: Re: iptables service with debian
Index(es):
- Date
- Thread