Firewall bootscript

jeremy at jeremy at
Mon Mar 22 21:41:40 PST 2004

> Moved to blfs-dev for furthur discussion...
> Kevin P. Fleming wrote:
>> jeremy at wrote:
>>> for start:
>>>    iptables-restore < /etc/firewall.conf
>>>    echo "1" /proc/sys/net/ipv4/ip_forward # Turns on
>>> forwarding/masq'ing
>>> for stop:
>>>    cp -f /etc/firewall.conf /etc/firewall.conf.bak # Makes a backup
>>>    iptables-save > /etc/firewall.conf
>> This is what RedHat and RH-based distros do as well (at least in
>> versions prior to 9.0/FC1, I haven't looked at one of those), their
>> /etc/init.d/iptables script just saves/reloads
>> /etc/sysconfig/iptables. It works well, is easy to update and reload
>> on the fly if needed. In addition to the normal start/stop/restart
>> verbs, /etc/init.d/iptables also supports "save". This is somewhat
>> better than stop always doing a save, in case admin has made some
>> temporary changes and intentionally _not_ saved them.
> And later, Ian Molton wrote:
>> Ugh, no thanks.
>> If I run ifconfig the new interface isnt rwemembered unless I write an
>> appropriate script. iptables should be no different.
>> -1 from me.
> I like Jeremy's better than the kludge I threw togheter Satruday.  I
> have to agree with Ian and Kevin though on the stop.  Definately do not
> save the current setup on stop.  This is jsut bad ju-ju waiting.  Even
> with a backup, the backup only lasts until the next reboot, or restart.
>  Just bring down the rules and stop forwarding if necessary to bring the
> system back to the state it was in before the firewall script was run.
> Uunfortunately there is no iptables-stop short of the previous
> script...but that's better than a save (unless of course you want to use
> iptable-save -c, which saves the counts).  I personally would want to
> clear the counts in most cases when I bring it down, and if not I would
> do a save manually.  Course I don't use iptables myself, so maybe I'm
> going about it the wrong way.

There's a reason I do a save as I do - makes it a lot easier to add
firewall rules on the fly - instead of having to add the rule, make sure
it works, then add the command into your firewall shell script, it simply
saves the current state of the firewall to load up at next reboot. 
Personally, I can think of very few times when this would *NOT* be the
desired way of operation - you usually want your firewall in the exact
same state after reboot as it was before reboot.

Also remember that the format that iptables-restore uses would not exactly
be the easiest to edit by hand, so use of my script would require manually
running iptables-save > /etc/firewall.conf.


> A suggestion, make start exactly as suggested tonight by Jeremy Uteley,
> stop as previous rules, restart uses stop but with '-c -n' on start (if
> possible), and add the save parameter to save...that's almost to the tee
> what Kevin explained earlier ain't it?  Oh points for
> originality. :-)
> -- DJ Lucas
> --
> FAQ:
> Unsubscribe: See the above information page

More information about the blfs-dev mailing list