2
I'd like to know the safest way to load iptables using Debian. Of course, I can use a script that uses iptables-restore :
#!/bin/sh
iptables-restore < /etc/firewall.conf
but : 1) where is the safest place to have it loaded ? /etc/network/if-up.d ? I'm concerned about the script being loaded early enough at boot time, and reliably enough when plugging/unplugging interfaces ...
2) is this script method using iptables-restore the most secure way ?
3) additionnally, how much does the answer validity stretch to other Linux distros ( Ubuntu, Fedora, CentOS ) ?
Thanks ^^
networkIT
Posted 2014-08-24T09:04:19.070
Reputation: 21
Write your rules in
/etc/network/if-up.d/rules.shby doingsudo iptables-save > /etc/network/if-up.d/rules.shand then add/etc/network/if-up.d/rules.shto/etc/rc.localbefore the lineexit 0– Nehal J Wani – 2014-08-24T09:22:17.093Did you already look at this resource: http://www.debian-administration.org/article/615/Restoring_iptables_Automatically_On_Boot ? Using if-pre-up.d seems to address your concern that iptables is loaded before the interface is up.
– agtoever – 2014-08-24T09:25:25.390OK, so /etc/network/if-pre-up.d/ seems like a good place to locate the script. But is it really 'packet-proof' ( I mean, no small time-lapse while a packet might sneak in while iptables is resetting ? ( I try to make it packet-proof ) ? – networkIT – 2014-08-24T14:31:59.607
also, using if-pre-up.d/ would have the script flush the iptables each time a network-interfaces is down-ed or up-ed. This is inconvenient for fail2ban as an example. Wouldn't a strategically placed init.d script with custom update-rc.d settings be a more definitive solution ? But how to know when to have it started exactly ? ( ie what update-rc.d runlevel values and priorities use ), and have dependencies checked ? – networkIT – 2014-08-24T14:37:56.897
Nehal J. Wani : why do you add /etc/network/if-up.d/rules.sh to /etc/rc.local ? so to make sure it's executed anyway ? – networkIT – 2014-08-24T14:39:17.510