On Thu, 26 Apr 2012 14:13:28 +0500 Muhammad Yousuf Khan <sir...@gmail.com> wrote:
> i run this command > > iptables -t nat -A POSTROUTING -o eth1 -d 8.8.4.4 -j MASQUERADE > > my client computers able to ping 8.8.4.4 > > but when i "iptables --flush -t nat" it clrear the table but my > client can still ping the destination. > i check "iptables-save" is shows that tables are empty. > i thought that there could be some kind of service related to iptable > in /etc/init.d folder so that i can restart that but there are none. > and i notices after 5 minutes or so my clients computer were not able > to ping which means my commands affects after 5 minutes. > > but i want prompt effect of every iptable command. is there any thing > that can be done in this regard ? pls help > > one more thing what could be done to retain all the iptable statements > even after reboot. i think writing all the iptables command in > rc.local > is not a good idea. it is work around. > > can any one plz help in this regard also. > Iptables commands do work instantly, but state table entries may not disappear until after their timeout. It has already been pointed out that the MASQUERADE target is not appropriate for access control, so you should not be too concerned if it does not work as you expect. If you were to delete a real iptables access rule, there would be no delay. I use iptables and its logging fairly regularly for troubleshooting, which involves altering and repositioning rules to see what's going on, and I know there is no delay after reloading the rules tables. If you type an extra rule at a command prompt, it will work the instant you hit return, assuming you have it right and it doesn't conflict with what is already there. It's easier to add it to the script in the right place, and reload the rules tables. The usual way to organise iptables rules is to have a script that runs as part of the boot sequence, usually also checking for the correct modules, starting IP forwarding, etc. It isn't a workaround to run it from an rc, how else do you think things are started on boot? If you want something that looks like a daemon, it's not too hard to make a start-stop script that will load and flush the iptables rules, check which ruleset if any is currently running and generally work as a pseudo-service. It's not something that Debian supplies, as a lot of people prefer to use firewall applications rather than deal with raw iptables rules. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120426223825.498d0...@jretrading.com
