On Fri, Apr 27, 2012 at 2:38 AM, Joe <j...@jretrading.com> wrote: > On Thu, 26 Apr 2012 14:13:28 +0500 > Muhammad Yousuf Khan <sir...@gmail.com> wrote: > >> i run this command >> >> iptables -t nat -A POSTROUTING -o eth1 -d 8.8.4.4 -j MASQUERADE >> >> my client computers able to ping 8.8.4.4 >> >> but when i "iptables --flush -t nat" it clrear the table but my >> client can still ping the destination. >> i check "iptables-save" is shows that tables are empty. >> i thought that there could be some kind of service related to iptable >> in /etc/init.d folder so that i can restart that but there are none. >> and i notices after 5 minutes or so my clients computer were not able >> to ping which means my commands affects after 5 minutes. >> >> but i want prompt effect of every iptable command. is there any thing >> that can be done in this regard ? pls help >> >> one more thing what could be done to retain all the iptable statements >> even after reboot. i think writing all the iptables command in >> rc.local >> is not a good idea. it is work around. >> >> can any one plz help in this regard also. >> > > Iptables commands do work instantly, but state table entries may not > disappear until after their timeout. It has already been pointed out > that the MASQUERADE target is not appropriate for access control, so > you should not be too concerned if it does not work as you expect. If > you were to delete a real iptables access rule, there would be no delay.
Thanks for the clearing my concept. however i read some of the part via google that there is a file /etc/network/iptables in Debian from where all the startup scripts run for FW . may be i didnt got the correct idea out of it. as i am new and still learning. so i thought that rc.local is not an appropriate route to choose. > > I use iptables and its logging fairly regularly for troubleshooting, > which involves altering and repositioning rules to see what's going on, > and I know there is no delay after reloading the rules tables. If you > type an extra rule at a command prompt, it will work the instant you hit > return, assuming you have it right and it doesn't conflict with what > is already there. It's easier to add it to the script in the right > place, and reload the rules tables. > > The usual way to organise iptables rules is to have a script that runs > as part of the boot sequence, usually also checking for the correct > modules, starting IP forwarding, etc. It isn't a workaround to run it > from an rc, how else do you think things are started on boot? If you > want something that looks like a daemon, it's not too hard to make a > start-stop script that will load and flush the iptables rules, check > which ruleset if any is currently running and generally work as a > pseudo-service. It's not something that Debian supplies, as a lot of > people prefer to use firewall applications rather than deal with raw > iptables rules. > since the inception of my career i have been using Microsoft at server end. but since i have started learning Linux i dont know what is the attraction in it. i started liking command line. rather GUI. so i am not interested in Applications. > -- > Joe > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20120426223825.498d0...@jretrading.com > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cagwvfmnvns-njwejah1rljqnarhszsvjz0kvruy0k9eu_hr...@mail.gmail.com
