Re: iptables service with debian
On Sat, Apr 28, 2012 at 3:40 AM, Joe <joe@jretrading.com> wrote:
> On Sat, 28 Apr 2012 02:41:29 -0400
> Tom H <tomh0665@gmail.com> wrote:
>> On Fri, Apr 27, 2012 at 6:59 PM, Pascal Hambourg
>> <pascal@plouf.fr.eu.org> wrote:
>> > Tom H a écrit :
>> >> On Fri, Apr 27, 2012 at 4:05 AM, Joe <joe@jretrading.com> wrote:
>> >>>
>> >>> But the save and restore commands only give you the iptables
>> >>> rules, and you may want to do other network-related things when
>> >>> the 'service' is started, such as loading conntrack modules for
>> >>> unusual protocols.
>> >>
>> >> It's best to run an iptables script from
>> >> "/etc/network/if-pre-up.d/".
>> >
>> > Only for the rules which are related to a specific interface.
>> > Ruleset initialization should not be done from there.
>>
>> Why not? Is this documented somewhere? If not, from where should
>> iptables rules be launched?
>>
>> "if-pre-up.d" is the only logical location (and it isn't tied to any
>> particular NIC) for launching an iptables script since Debian ripped
>> out "/etc/init.d/iptables".
>>
>> It's also the recommended location on the Debian wiki:
>>
>> http://wiki.debian.org/iptables
>
> Which also mentions iptables-persistent.
Thanks for pointing iptables-persistent out; I'd only skimmed through
the wiki entry to see whether or not using "if-pre-up.d" was
recommended and I'd missed that note.
I have a Debian box at home where I've created a similar service but
I'd never do this on one of the boxes that I manage at a company
because I always try to avoid non-standard setups.
I migrated two dev boxes from using "if-pre-up.d" to using
"iptables-persistent" this afternoon...
Reply to: