Thank you Jonathan for writing the nice blog article and it works. But it
requries some customization in debian Lenny.
For some reason, the script in /etc/network/if-pre-up.d/ doesn't load up by
default. You have to explicitly call it from /etc/network/interfaces like:
auto eth0
iface eth0 inet static
address 192.168.107.8
netmask 255.255.255.0
network 192.168.107.0
broadcast 192.168.107.255
gateway 192.168.107.254
* pre-up /etc/network/if-pre-up.d/iptables*
Also, it is very important to save the firewall rules *manually* every the
rule set is edited by iptables-save > /etc/iptables.conf
Hope this can help.
Kinglok, FONG.
On Tue, Aug 11, 2009 at 12:33 PM, Jonathan Yu <[email protected]>wrote:
> Hi:
>
> On Tue, Aug 11, 2009 at 12:21 AM, Ivan Shmakov<[email protected]> wrote:
> > FWIW, I've ended up using the init.d/ script below. The script
> > is expected to run prior to ifupdown, so assuming the symbolic
> > link to the latter is at /etc/rcS.d/S39ifupdown, this one needs
> > to be symlinked at, say, /etc/rcS.d/S38iptables-is.sh
>
> I apparently used /etc/network/if-pre-up.d (I can't remember the
> reasoning why, but I guess it's useful to make sure you load the rules
> prior to bringing the interfaces up, which means the rules will be
> there once network connectivity is brought up)
>
> A long time ago I wrote a blog article on the subject
>
>
> http://www.debian-administration.org/article/Restoring_iptables_Automatically_On_Boot
>
> Perhaps more interesting than that article is the discussion that
> happened in the comments.
>
> Hope this helps :-)
>
> >
> > The script is designed to be run from within the rcS.d sequence,
> > and before ifupdown, so that it won't be:
> >
> > * run after some (all) interfaces are already up and insecure --
> > the thing that happens if one sets the iptables up from within
> > the /etc/network/interfaces pre-up or post-up options;
> >
> > * run several times at some (possibly random; consider, e. g.,
> > hotplug devices) points of time, ruining the current firewall
> > state along the way -- as it happens when one puts the script
> > into /etc/network/if-up.d/ or /etc/network/if-pre-up.d/.
> >
> > The script does not try to save the firewall state at `stop' --
> > one surely wants /not/ for some accident mistake made into the
> > current state of the remote (as in ``several hundreds kilometers
> > away'') host firewall to persist across reboots.
> Agreed! That's the same approach I took wit my blog article.
> >
> > To summarize: the script runs just once, loading the firewall
> > state before any of the interfaces are brought up. Since then,
> > it does nothing.
> >
> > The location of the configuration file could be set via the
> > default/ file (it's ok for it to be absent), like:
> >
> > $ cat /etc/default/iptables-is
> > IPTABLES_CONF=/etc/network/iptables-my.conf
> > $
> >
> > The configuration file is expected to be the output of
> > iptables-save(8). The current state could be saved like:
> >
> > # iptables-save > /etc/network/iptables.conf
> > #
> >
> > $ cat iptables-is.sh
> > #!/bin/sh
> > ### BEGIN INIT INFO
> > # Provides: iptables-is
> > # Required-Start: mountkernfs
> > # Required-Stop:
> > # Default-Start: S
> > # Default-Stop:
> > # Short-Description: Load the iptables configuration from the conf.
> file.
> > # X-Start-Before: ifupdown
> > ### END INIT INFO
> >
> > ## NB: This script should be `start'ed before `ifupdown'. It makes no
> > ## sense to stop it at any time.
> >
> > set -e
> >
> > IPTABLES_RESTORE=/sbin/iptables-restore
> > test -x "$IPTABLES_RESTORE" || exit 0
> >
> > . /lib/lsb/init-functions
> >
> > MYNAME="${0##*/}"
> > PATH=/sbin:/bin
> > test -r /etc/default/iptables-is && . /etc/default/iptables-is
> > : ${IPTABLES_CONF:=/etc/network/iptables.conf}
> >
> > ## NB: should probably support `status' as well.
> >
> > case "$1" in
> > (start | restart | force-reload)
> > exitcode=0
> > log_begin_msg "Restoring IP tables..."
> > if ! "$IPTABLES_RESTORE" < "$IPTABLES_CONF" ; then
> > log_action_cont_msg "(failed)"
> > exitcode=2
> > fi
> > log_end_msg "$exitcode"
> > exit "$exitcode"
> > ;;
> >
> > (stop)
> > exit 0
> > ;;
> >
> > (*)
> > echo "Usage: $0 {start|stop|restart|force-reload}" >&2
> > exit 3
> > ;;
> > esac
> >
> > ### iptables-is.sh ends here
> > $
> >
> > --
> > FSF associate member #7257
> >
> >
> > --
> > To UNSUBSCRIBE, email to [email protected]
> > with a subject of "unsubscribe". Trouble? Contact
> [email protected]
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to [email protected]
> with a subject of "unsubscribe". Trouble? Contact
> [email protected]
>
>
--
Personal Webpage: http://kinglok.org
