DebianThis forum is for the discussion of Debian Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
i output the iptables rules i make manually to /etc/iptables.conf with iptables-save. how can i load those automatically at each boot? debian didn't seem to come with any startup scripts, so i had to modify one from a generic script i found on the net, which doesn't have any pointers in it to other files. thanks.
, save it under whatever name you want (let's say iptables_loader.sh), copy it to /etc/init.d, then su and run
update-rc.d iptables_loader.sh defaults
to generate the symlinks in rc*.d.
Then reboot and check if it works. Note that the script should contain the full path to the saved firewall rules file. Once you get the idea you may expand the script with functions for (re)starting/stopping the firewall (you even have a skeleton in /etc/init.d).
it's not working. i just noticed there's a lot of non-executable stuff in the file iptables-save writes. so i removed all that and just put plain iptables rules in there, which didn't work, either. there must be some other more standard way of doing it, right?
>>p.s. by skeleton you mean a stripped down generic file? no, i didn't have anything like that in init.d, unless it's called something totally unrelated to iptables. ? maybe someone could post one? tx.
Last edited by synaptical; 07-15-2005 at 10:30 AM.
You should not edit the file outputted by iptables-save. iptables-restore will parse the file automatically. At most, if you wish to zero that numbers at the beginning of the file, call 'iptables -F' before iptables-save.
If you want to use directly the rules, you must write a script which calls iptables for each rule (so something like 'iptables -A INPUT -p tcp --dport XX -j LOG' will represent a line in your script). See a tutorial (one of many) at http://iptables-tutorial.frozentux.n...-tutorial.html
Also, don't forget to enable execution rights (chmod +x) for the script once you copied it into /etc/init.d.
Regarding that skeleton file, I don't have the Linux box near me right now, but see 'man update-rc.d', I think it's written there.
Glad to hear it worked. If you want to make sure the rules are loaded, run a 'iptables -L' in a shell and it should output the ruleset. Funny though, mine works with a '<'. Actually, this is how it looks like:
/sbin/iptables-restore < /home/harken/iptables1
However, the idea of the symlinks is that they each correspond to a certain runlevel. So, when the kernel switches the current runlevel (like 3-multi-user console mode, 1-single user, 5-multiuser/graphical, 6-shutdown/reboot, etc.), it will execute only the scripts found in that rcX.d directory so things don't get messed up. And that's why I told you in my first reply that you can expand your script with some functions so that when the computer changes runlevel you can start/stop your firewall (if needed). For this, once you complete the script, you run update-rc.d with some extra parameters like
update-rc.d [-n] name start|stop NN runlevel runlevel ... start|stop NN runlevel runlevel
Up until a few months ago there was an init script distributed with the debian packaged iptables. Then they got rid of that script because the consensus was that iptables is more appropriately started when the network interfaces are brought up (I agree). The main arguments against having an init script for iptables is that you will have a problem when starting iptables before networking (for example when you use fqdn in your rules) and much worse when you start iptables after the network interfaces are up there will be a short time when you're running without a firewall.
So now the debian way is to call the iptables script from /etc/network/interfaces using pre-up, post-up, pre-down and post-down options to the interface.