On Sat, Apr 28, 2012 at 3:40 AM, Joe <j...@jretrading.com> wrote: > On Sat, 28 Apr 2012 02:41:29 -0400 > Tom H <tomh0...@gmail.com> wrote: >> On Fri, Apr 27, 2012 at 6:59 PM, Pascal Hambourg >> <pas...@plouf.fr.eu.org> wrote: >> > Tom H a écrit : >> >> On Fri, Apr 27, 2012 at 4:05 AM, Joe <j...@jretrading.com> wrote: >> >>> >> >>> But the save and restore commands only give you the iptables >> >>> rules, and you may want to do other network-related things when >> >>> the 'service' is started, such as loading conntrack modules for >> >>> unusual protocols. >> >> >> >> It's best to run an iptables script from >> >> "/etc/network/if-pre-up.d/". >> > >> > Only for the rules which are related to a specific interface. >> > Ruleset initialization should not be done from there. >> >> Why not? Is this documented somewhere? If not, from where should >> iptables rules be launched? >> >> "if-pre-up.d" is the only logical location (and it isn't tied to any >> particular NIC) for launching an iptables script since Debian ripped >> out "/etc/init.d/iptables". >> >> It's also the recommended location on the Debian wiki: >> >> http://wiki.debian.org/iptables > > Which also mentions iptables-persistent.
Thanks for pointing iptables-persistent out; I'd only skimmed through the wiki entry to see whether or not using "if-pre-up.d" was recommended and I'd missed that note. I have a Debian box at home where I've created a similar service but I'd never do this on one of the boxes that I manage at a company because I always try to avoid non-standard setups. I migrated two dev boxes from using "if-pre-up.d" to using "iptables-persistent" this afternoon... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=swh-fxokgmhskgp5m0_ccj8h9vzegebneh1qbf-zpk...@mail.gmail.com
