iptables on warty
Christoph Georgi
christoph.georgi at web.de
Wed Mar 2 00:01:35 UTC 2005
Another drawback of the iptables-save/-restore system is that you have
to write a second script to save the iptables settings prior to a system
halt/reboot in addition to a restore script for startup.
However, if you want to implement accounting, you should rather use the
save/restore system as the counters are resetted anytime you reboot (or
flush the chains in case you change some firewall settings). But as Jim
pointed out, that is rather useful in a stable environment where changes
to the iptables are very rare.
.christoph
Jim Cheetham wrote:
> On Tue, 2005-03-01 at 09:57 +0300, wild madagascar wrote:
>
>>On Tue, 2005-03-01 at 12:10 +1300, Jim Cheetham wrote:
>>
>>>A common place is /var/lib/iptables/active, so you should run
>>>$ sudo iptables-save > /var/lib/iptables/active
>
>
>>If I save it the way you suggest, do I still need to write the script as
>>kirtis and Christoph suggested?
>
>
> Yes - just saving the current iptables config does not get it
> automatically applied.
>
> You have a choice in approach - you would write a script that sets up
> the rules one by one (this is a good and flexible approach) or one that
> just restores the previous saved state (this is useful in a 'stable'
> environment).
>
> In either case, you'll need a script that is run when the machine starts
> up - and despite comments to others about using cron's @reboot facility,
> firewalling is important enough to be done "properly", and therefore
> Kirtis suggestion is the right one. Christoph's is functionally
> identical, too - although I would prefer to see the original script
> in /etc/init.d rather than elsewhere.
>
> I suggest that you don't bother with iptables-save and iptables-restore,
> and just concentrate on automating your "iptables -A INPUT ..." script.
>
> -jim
>
>
>
More information about the ubuntu-users
mailing list