[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables service with debian



On Fri, Apr 27, 2012 at 2:38 AM, Joe <joe@jretrading.com> wrote:
> On Thu, 26 Apr 2012 14:13:28 +0500
> Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
>
>> i run this command
>>
>> iptables -t nat -A POSTROUTING -o eth1 -d 8.8.4.4 -j MASQUERADE
>>
>> my client computers able to ping 8.8.4.4
>>
>> but  when i "iptables --flush -t nat"  it clrear the table but my
>> client can still ping the destination.
>> i check "iptables-save" is shows that tables are empty.
>>  i thought that there could be some kind of service related to iptable
>>  in /etc/init.d  folder so that i can restart that but there are none.
>> and i notices after 5 minutes or so my clients computer were not able
>> to ping which means my commands affects after 5 minutes.
>>
>> but i want prompt effect of every iptable command. is there any thing
>> that can be done in this regard ? pls help
>>
>> one more thing what could be done to retain all the iptable statements
>> even after reboot. i think writing all the iptables command in
>> rc.local
>> is not a good idea. it is work around.
>>
>> can any one plz help in this regard also.
>>
>
> Iptables commands do work instantly, but state table entries may not
> disappear until after their timeout. It has already been pointed out
> that the MASQUERADE target is not appropriate for access control, so
> you should not be too concerned if it does not work as you expect. If
> you were to delete a real iptables access rule, there would be no delay.

Thanks for the clearing my concept.
however i read some of the part via google that there is a file
/etc/network/iptables in Debian from where all the startup scripts run
for FW . may be i didnt got the correct idea out of it. as i am new
and still learning.
so i thought that rc.local is not an appropriate route to choose.

>
> I use iptables and its logging fairly regularly for troubleshooting,
> which involves altering and repositioning rules to see what's going on,
> and I know there is no delay after reloading the rules tables. If you
> type an extra rule at a command prompt, it will work the instant you hit
> return, assuming you have it right and it doesn't conflict with what
> is already there. It's easier to add it to the script in the right
> place, and reload the rules tables.
>
> The usual way to organise iptables rules is to have a script that runs
> as part of the boot sequence, usually also checking for the correct
> modules, starting IP forwarding, etc. It isn't a workaround to run it
> from an rc, how else do you think things are started on boot? If you
> want something that looks like a daemon, it's not too hard to make a
> start-stop script that will load and flush the iptables rules, check
> which ruleset if any is currently running and generally work as a
> pseudo-service. It's not something that Debian supplies, as a lot of
> people prefer to use firewall applications rather than deal with raw
> iptables rules.
>

since the inception of my career i have been using Microsoft at server end. but
since i have started learning Linux i dont know what is the attraction in it.
i started liking command line. rather GUI. so i am not interested in
Applications.




> --
> Joe
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 20120426223825.498d08ea@jretrading.com">http://lists.debian.org/20120426223825.498d08ea@jretrading.com
>


Reply to: