On 19/07/2020 20:10, Patrick Wigmore wrote: > On Sat, 18 Jul 2020 18:17:38 +0100, Terry Coles wrote: >> Hi, >> >> It has been suggested that I add an iptables rule into some devices >> and make it persistent by adding the rule to /etc/rc.local. >> >> I naively thought that iptables rules were persistent, but a quick >> google throws up the idea of using iptables-save/iptables-restore >> but also iptables- persistent. >> >> Is there a right way? > I wanted to know the answer to this a while ago, and I concluded that > it doesn't matter enormously. As far as I could tell, it's a bring- > your-own-persistence party and there is no one best way of doing it. > > It seems as though iptables-based firewall utilities are as numerous > as text editors and desktop environments. > > Fundamentally, you've just got to make sure that, at some sensible > moment during start-up, some commands; none in particular; will get > run that will create the rule for you. iptables-restore is one way to > do that, which might be helpful, so is iptables-persistent. Or, you > could just as well run the commands that you originally used to create > the rule. > > My solution was to write an init script that created my iptables > rules, with the rules I wanted hard-coded into the script in a manner > that was easily-editable. I thought that was a relatively neat way of > doing it, but it's certainly not the only way. I might not have done > it that way if I only wanted to load one simple rule. > > (For systemd, I suppose you would write a systemd unit instead.) > > If you were going to invest a lot of time in writing rules or scripts, > nftables might be more futureproof than iptables. But for quick, > simple rules, I wouldn't worry about that too much. > > Patrick > Sounds interesting :)
For my laptop and desktop I use Gufw, a GUI frontend for Ufw "Uncomplicated FireWall", which is itself based on iptables IIRC. But I guess the Pis don't run GUIs, so using Gufw would probably not be ideal (also the interface is rather unintuitive). Hamish
signature.asc
Description: OpenPGP digital signature
-- Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
