Re: iptables service with debian
On Sun, Apr 29, 2012 at 4:08 AM, Bonno Bloksma <b.bloksma@tio.nl> wrote:
>>>>>> It's best to run an iptables script from "/etc/network/if-pre-up.d/".
>>>>> Only for the rules which are related to a specific interface.
>>>>> Ruleset initialization should not be done from there.
>>>>
>>>> Why not?
>>>
>>> Because it makes no sense to re-initialize the ruleset every time an
>>> interface is activated.
>>>
>>>> Is this documented somewhere? If not, from where should iptables
>>>> rules be launched?
>>>
>>> Iptables should be initialized from an initscript run before networking.
>>
>> I agree but until someone else pointed out that there was iptables-
>> persistent for that, there was no packaged way of doing so.
>>
>> Until iptables-persistent was released in July 2009, there wasn't a
>> packaged way of doing so and using "/etc/network/if-pre-up.d/" was the
>> recommended way, as documented in the Debian wiki.
>
> I have been running iptable scripts for years but never ran them from
> "/etc/network/if-pre-up.d/". In Debian I have always used the pre-up line
> in the interfaces file, in RedHat I used the rc.local file or created my
> own Sxx link in the rc.X drectories to get it started before the network
> came up.
>
> The other way to save/load iptables rules has been to use iptables-save
> and iptables-restore (or something like it) which I have used in the old
> days when there was RedHat 4.x (before it came to be known as Fedora) and
> so on.
AFAIK, using "/etc/network/if-pre-up.d/" or "pre-up ..." in
"/etc/network/interfaces" is essentially the same thing.
(I don't understand why you use "rc.local" on RHEL/Fedora because they
both have an iptables init script by default.)
Reply to: