RE: iptables service with debian
Hi,
>>>>> It's best to run an iptables script from "/etc/network/if-pre-up.d/".
>>>> Only for the rules which are related to a specific interface.
>>>> Ruleset initialization should not be done from there.
>>>
>>> Why not?
>>
>> Because it makes no sense to re-initialize the ruleset every time an
>> interface is activated.
>>
>>> Is this documented somewhere? If not, from where should iptables
>>> rules be launched?
>>
>> Iptables should be initialized from an initscript run before networking.
>
> I agree but until someone else pointed out that there was iptables-persistent for that, there was no packaged way of doing so.
>
> Until iptables-persistent was released in July 2009, there wasn't a packaged way of doing so and using "/etc/network/if-pre-up.d/" was the recommended way, as documented in the Debian wiki.
I have been running iptable scripts for years but never ran them from "/etc/network/if-pre-up.d/". In Debian I have always used the pre-up line in the interfaces file, in RedHat I used the rc.local file or created my own Sxx link in the rc.X drectories to get it started before the network came up.
The other way to save/load iptables rules has been to use iptables-save and iptables-restore (or something like it) which I have used in the old days when there was RedHat 4.x (before it came to be known as Fedora) and so on.
Bonno
Reply to: