I'm basically trying to get iptables/firewalling set up in debian. I've verified that the iptables module is loaded, and I've put my firewall script in /etc/network/if-up.d but it doesn't seem to be getting executed (it does have its execute bits set by the way). I know the script isn't getting run, because it's supposed to echo "firewall started", but grepping output from dmesg returns nothing.

Is /etc/network/if-up.d the place to put scripts that you'd like started when the network is brought up?

Or do I need to follow a different approach?

If it's in if-up.d, then it should run for every interface that comes up. Rather than grep through dmesg, what happens if you just do:
ifdown eth0; ifup eth0
?

If you are connecting via SSH, try bouncing lo instead of eth0 for testing.

To make the script work on one specific interface, add "up /path/to/script" to the /etc/network/interfaces file instead.

As I recall, dmesg only prints kernel boot messages. Bringing interfaces up is, as I recall, handled by init (or a service called by init, I forget which). init is the first program loaded after the kernel has finished booting, thus you will not find any interface loading information in dmesg, regardless of weather it's working or not.

perhaps you would be better off putting something like :
echo "Firewall brought up successfully at $(date)" > /root/firewalllog

into your firewall script... thus you will be able to tell if it loaded successfully or not.

You need to configure it to initiate during boot sequence. Lets call the script firewall.
Put the sciript in /etc/init.d then do the following;
ln -s /etc/init.d/firewall /rc2.d/S89firewall then
ln -s /etc/init.d/firewall /rc3.d/S89firewall then
ln -s /etc/init.d/firewall /rc4.d/S89firewall then
ln -s /etc/init.d/firewall /rc5.d/S89firewall

to get it running do /etc/init.d/firewall start
When you boot the system the script will be run and if you have ouput it will notify you of the fact.

All replies are very helpful. Thank you.

I ran 'ifdown eth0; ifup eth0' and apparently my script wasn't being started, so I tried your approach (added 'up ...' to /etc/network/interfaces), CroMagnon, and it worked great:
I also have a script for flushing all the tables and deleting the user created ones after the interface is brought down, as you can see above. Is that script necessary?

urzumph <- Thanks for the clarification about dmesg. I didn't know it's only for kernel messages, of which bringing interfaces up isn't a part of.

TigerOC, which approach do you think is better? The one you suggested, which involves creating sym links for all the run-levels in which you anticipate the firewall to be useful, or using CroMagnon's solution, which, I hope, ensures that the firewall is started everytime the eth0 interface is brought up? (I'm sort of biased towards the latter, but it's just my intuition, because I'm a fairly new Linux user.)
Also, you said . In what file in Debian would I place that line?

I'm ultra cautious because I run an "always on ADSL" connection so I want the firewall active when the networking starts. The /etc/init.d/firewall start is a cli command. This means start it without reboot /etc/init.d/firewall stop will bring it down and /etc/init.d/firewall restart will obviously restart if you tweaked the parameters and wanted to start it again.

If you want to make sure the firewall script is run before the interface starts, change the "up (script)" line to "pre-up (script)" instead The four commands possible are up, pre-up, down, and post-down.