Hi: On Tue, Aug 11, 2009 at 12:21 AM, Ivan Shmakov<[email protected]> wrote: > FWIW, I've ended up using the init.d/ script below. The script > is expected to run prior to ifupdown, so assuming the symbolic > link to the latter is at /etc/rcS.d/S39ifupdown, this one needs > to be symlinked at, say, /etc/rcS.d/S38iptables-is.sh
I apparently used /etc/network/if-pre-up.d (I can't remember the reasoning why, but I guess it's useful to make sure you load the rules prior to bringing the interfaces up, which means the rules will be there once network connectivity is brought up) A long time ago I wrote a blog article on the subject http://www.debian-administration.org/article/Restoring_iptables_Automatically_On_Boot Perhaps more interesting than that article is the discussion that happened in the comments. Hope this helps :-) > > The script is designed to be run from within the rcS.d sequence, > and before ifupdown, so that it won't be: > > * run after some (all) interfaces are already up and insecure -- > the thing that happens if one sets the iptables up from within > the /etc/network/interfaces pre-up or post-up options; > > * run several times at some (possibly random; consider, e. g., > hotplug devices) points of time, ruining the current firewall > state along the way -- as it happens when one puts the script > into /etc/network/if-up.d/ or /etc/network/if-pre-up.d/. > > The script does not try to save the firewall state at `stop' -- > one surely wants /not/ for some accident mistake made into the > current state of the remote (as in ``several hundreds kilometers > away'') host firewall to persist across reboots. Agreed! That's the same approach I took wit my blog article. > > To summarize: the script runs just once, loading the firewall > state before any of the interfaces are brought up. Since then, > it does nothing. > > The location of the configuration file could be set via the > default/ file (it's ok for it to be absent), like: > > $ cat /etc/default/iptables-is > IPTABLES_CONF=/etc/network/iptables-my.conf > $ > > The configuration file is expected to be the output of > iptables-save(8). The current state could be saved like: > > # iptables-save > /etc/network/iptables.conf > # > > $ cat iptables-is.sh > #!/bin/sh > ### BEGIN INIT INFO > # Provides: iptables-is > # Required-Start: mountkernfs > # Required-Stop: > # Default-Start: S > # Default-Stop: > # Short-Description: Load the iptables configuration from the conf. file. > # X-Start-Before: ifupdown > ### END INIT INFO > > ## NB: This script should be `start'ed before `ifupdown'. It makes no > ## sense to stop it at any time. > > set -e > > IPTABLES_RESTORE=/sbin/iptables-restore > test -x "$IPTABLES_RESTORE" || exit 0 > > . /lib/lsb/init-functions > > MYNAME="${0##*/}" > PATH=/sbin:/bin > test -r /etc/default/iptables-is && . /etc/default/iptables-is > : ${IPTABLES_CONF:=/etc/network/iptables.conf} > > ## NB: should probably support `status' as well. > > case "$1" in > (start | restart | force-reload) > exitcode=0 > log_begin_msg "Restoring IP tables..." > if ! "$IPTABLES_RESTORE" < "$IPTABLES_CONF" ; then > log_action_cont_msg "(failed)" > exitcode=2 > fi > log_end_msg "$exitcode" > exit "$exitcode" > ;; > > (stop) > exit 0 > ;; > > (*) > echo "Usage: $0 {start|stop|restart|force-reload}" >&2 > exit 3 > ;; > esac > > ### iptables-is.sh ends here > $ > > -- > FSF associate member #7257 > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact [email protected] > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
