This one time, at band camp, Mary Gardiner wrote:
>Is there a canonical way of writing interface specific iptables scripts?
>
>At the moment, I'm trying to write a couple of scripts with this
>behaviour to put in /etc/network/if[action].d/:
> - when lo comes up, add an iptables rule
> - when lo comes down, delete that same iptables rule
>
>Other rules, ideally, would not be touched by that.
>
>The trouble is that iptables doesn't seem to have great support for this
>automated rule-specific kind of operation. Individual rules can be
>deleted with -D, but only if you know the rule number which, as far as I
>can tell, you work out by running 'iptables -L' and counting the rules
>from the top of the chain.
>
>So are people doing this kind of interface specific iptables rules, and
>if so, how are you doing it? Is there a blessed way, or just a bunch of
>ways?
I took over maintainership of a tool called filtergen some years back, which
we use at Anchor for all firewall maintenance, and I can see a way to use it
to do what you want.
I'd have the up script copy the filter fragment into an include directory,
then regenerate the filter, and in the down script delete the fragment and
regenerate, i.e.:
/etc/filtergen/rules.filter:
input eth0 {
include /etc/filtergen/input.d/
};
/etc/filtergen/input.d:
some_fragment (symlink to ../fragment.d/some_fragment)
/etc/filtergen/fragment.d:
some_fragment:
port 22 accept;
Does that make sense? :)
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
