Re: iptables service with debian
On Fri, Apr 27, 2012 at 2:38 AM, Joe <firstname.lastname@example.org> wrote:
> On Thu, 26 Apr 2012 14:13:28 +0500
> Muhammad Yousuf Khan <email@example.com> wrote:
>> i run this command
>> iptables -t nat -A POSTROUTING -o eth1 -d 22.214.171.124 -j MASQUERADE
>> my client computers able to ping 126.96.36.199
>> but when i "iptables --flush -t nat" it clrear the table but my
>> client can still ping the destination.
>> i check "iptables-save" is shows that tables are empty.
>> i thought that there could be some kind of service related to iptable
>> in /etc/init.d folder so that i can restart that but there are none.
>> and i notices after 5 minutes or so my clients computer were not able
>> to ping which means my commands affects after 5 minutes.
>> but i want prompt effect of every iptable command. is there any thing
>> that can be done in this regard ? pls help
>> one more thing what could be done to retain all the iptable statements
>> even after reboot. i think writing all the iptables command in
>> is not a good idea. it is work around.
>> can any one plz help in this regard also.
> Iptables commands do work instantly, but state table entries may not
> disappear until after their timeout. It has already been pointed out
> that the MASQUERADE target is not appropriate for access control, so
> you should not be too concerned if it does not work as you expect. If
> you were to delete a real iptables access rule, there would be no delay.
Thanks for the clearing my concept.
however i read some of the part via google that there is a file
/etc/network/iptables in Debian from where all the startup scripts run
for FW . may be i didnt got the correct idea out of it. as i am new
and still learning.
so i thought that rc.local is not an appropriate route to choose.
> I use iptables and its logging fairly regularly for troubleshooting,
> which involves altering and repositioning rules to see what's going on,
> and I know there is no delay after reloading the rules tables. If you
> type an extra rule at a command prompt, it will work the instant you hit
> return, assuming you have it right and it doesn't conflict with what
> is already there. It's easier to add it to the script in the right
> place, and reload the rules tables.
> The usual way to organise iptables rules is to have a script that runs
> as part of the boot sequence, usually also checking for the correct
> modules, starting IP forwarding, etc. It isn't a workaround to run it
> from an rc, how else do you think things are started on boot? If you
> want something that looks like a daemon, it's not too hard to make a
> start-stop script that will load and flush the iptables rules, check
> which ruleset if any is currently running and generally work as a
> pseudo-service. It's not something that Debian supplies, as a lot of
> people prefer to use firewall applications rather than deal with raw
> iptables rules.
since the inception of my career i have been using Microsoft at server end. but
since i have started learning Linux i dont know what is the attraction in it.
i started liking command line. rather GUI. so i am not interested in
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
> Archive: email@example.com">http://firstname.lastname@example.org