Firewall bootscript

dj dj at
Mon Mar 22 20:30:33 PST 2004

Moved to blfs-dev for furthur discussion...

Kevin P. Fleming wrote:
> jeremy at wrote:
>> for start:
>>    iptables-restore < /etc/firewall.conf
>>    echo "1" /proc/sys/net/ipv4/ip_forward # Turns on forwarding/masq'ing
>> for stop:
>>    cp -f /etc/firewall.conf /etc/firewall.conf.bak # Makes a backup
>>    iptables-save > /etc/firewall.conf

> This is what RedHat and RH-based distros do as well (at least in 
> versions prior to 9.0/FC1, I haven't looked at one of those), their 
> /etc/init.d/iptables script just saves/reloads 
> /etc/sysconfig/iptables. It works well, is easy to update and reload 
> on the fly if needed. In addition to the normal start/stop/restart 
> verbs, /etc/init.d/iptables also supports "save". This is somewhat 
> better than stop always doing a save, in case admin has made some 
> temporary changes and intentionally _not_ saved them. 

And later, Ian Molton wrote:

> Ugh, no thanks.
> If I run ifconfig the new interface isnt rwemembered unless I write an
> appropriate script. iptables should be no different.
> -1 from me.

I like Jeremy's better than the kludge I threw togheter Satruday.  I
have to agree with Ian and Kevin though on the stop.  Definately do not
save the current setup on stop.  This is jsut bad ju-ju waiting.  Even
with a backup, the backup only lasts until the next reboot, or restart.
 Just bring down the rules and stop forwarding if necessary to bring the
system back to the state it was in before the firewall script was run. 
Uunfortunately there is no iptables-stop short of the previous
script...but that's better than a save (unless of course you want to use
iptable-save -c, which saves the counts).  I personally would want to
clear the counts in most cases when I bring it down, and if not I would
do a save manually.  Course I don't use iptables myself, so maybe I'm
going about it the wrong way.  

A suggestion, make start exactly as suggested tonight by Jeremy Uteley,
stop as previous rules, restart uses stop but with '-c -n' on start (if
possible), and add the save parameter to save...that's almost to the tee
what Kevin explained earlier ain't it?  Oh points for
originality. :-)  

-- DJ Lucas

More information about the blfs-dev mailing list