Paul Cartwright wrote: > Bob Proulx wrote: > > I think you did put that in there. It has that look. As to whether > > it /should/ be there... well *I* wouldn't put it there. :-) I think > > that type of reloading belongs elsewhere such as in an if-up.d/* > > script. But I don't know about your firewall setup. I could guess > > something like this in /etc/network/if-up.d/local-firewall using your > > current config as a template. > > I just googled it and found this: > http://www.linuxquestions.org/questions/ubuntu-63/where-is-iptables-config-file-584024/ > > There's no default. You can set your iptables config anywhere you want. > Add a "pre-up" line to your //etc/network/interfaces/ file, calling > the/iptables-restore/ command. Say you choose //etc/example.txt/ - in > your //etc/network/interfaces/ file you'd have a line like: > Code: > > pre-up iptables-restore < /etc/example.txt
> This loads the iptables config before the network interfaces are put
> online. BTW, make sure you never edit your config file manually.
> Populate it with a /iptables-save/ command, like:
> Code:
>
> iptables-save > /etc/example.txt
But in that case I think the intention would be to associate it with
the eth* device and not the lo device.
To be clear you had:
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/firewall-rules
I was going "ew..." about having it associated in time with the lo
device coming online. If you move that down to the eht0 device then I
wouldn't have made that comment. I mean something like this from your
example:
auto eth0
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
dns-nameservers 4.2.2.3 208.67.222.222 208.67.220.220 4.2.2.2 192.168.10.1
gateway 192.168.10.1
pre-up iptables-restore < /etc/firewall-rules
Associated with the eth0 device that looks okay to me. I would move
it from the lo device to the eth0 device. The example you referenced
didn't say specifically which device to associate it with and so left
that part as an exercise to the reader.
Also it isn't required but I think it looks a lot easier to read if
the associated parts are indented. This is also as shown in the
interfaces documentation.
man interfaces
Indented more like this would be nice.
auto eth0
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
dns-nameservers 4.2.2.3 208.67.222.222 208.67.220.220 4.2.2.2
192.168.10.1
gateway 192.168.10.1
pre-up iptables-restore < /etc/firewall-rules
The reason it is working for you associated with the lo device is that
both lo and eth0 are coming online at the same time because both are
configured for you as 'auto' devices. Therefore they come online at
boot time with '/etc/init.d/networking start'. So I assume that it is
working, I am not saying it is not. But if you were to manipulate lo
and eth0 individually for any reason then the pre-up would be reloaded
when you restarted lo but not for eth0. That is the part that seemed
odd to me. Because I would think the firewall rules would be tied to
eth0 and you would want to load them when eth0 comes online. Of
course once in totality at system boot time might be just fine for you
too. Or maybe you do only want the firewall rules loaded when lo
comes online. But it seemed odd and so I commented about it. YMMV.
Bob
signature.asc
Description: Digital signature
