iptables on warty

Christoph Georgi christoph.georgi at web.de
Wed Mar 2 00:01:35 UTC 2005

Another drawback of the iptables-save/-restore system is that you have 
to write a second script to save the iptables settings prior to a system 
halt/reboot in addition to a restore script for startup.

However, if you want to implement accounting, you should rather use the 
save/restore system as the counters are resetted anytime you reboot (or 
flush the chains in case you change some firewall settings). But as Jim 
pointed out, that is rather useful in a stable environment where changes 
to the iptables are very rare.


Jim Cheetham wrote:
> On Tue, 2005-03-01 at 09:57 +0300, wild madagascar wrote:
>>On Tue, 2005-03-01 at 12:10 +1300, Jim Cheetham wrote:
>>>A common place is /var/lib/iptables/active, so you should run
>>>$ sudo iptables-save > /var/lib/iptables/active
>>If I save it the way you suggest, do I still need to write the script as
>>kirtis and Christoph suggested?
> Yes - just saving the current iptables config does not get it
> automatically applied.
> You have a choice in approach - you would write a script that sets up
> the rules one by one (this is a good and flexible approach) or one that
> just restores the previous saved state (this is useful in a 'stable'
> environment).
> In either case, you'll need a script that is run when the machine starts
> up - and despite comments to others about using cron's @reboot facility,
> firewalling is important enough to be done "properly", and therefore
> Kirtis suggestion is the right one. Christoph's is functionally
> identical, too - although I would prefer to see the original script
> in /etc/init.d rather than elsewhere.
> I suggest that you don't bother with iptables-save and iptables-restore,
> and just concentrate on automating your "iptables -A INPUT ..." script.
> -jim

More information about the ubuntu-users mailing list