Lancer les règles de Firewalling avant que les interfaces deviennent up

From / Bloc Notes Informatique
Jump to: navigation, search

1 Introduction

There used to be a script to do it automatically via init.d files, but now the suggested method is to use ifup.d networking scripts, which are executed on state changes of the network interfaces. So I submit here my simple script, which does the trick for me nicely.

2 Configuration

Drop this script into /etc/network/if-pre-up.d in a file called iptables :

Configuration File /etc/network/if-pre-up.d/iptables
# Load iptables rules before interfaces are brought online
# This ensures that we are always protected by the firewall
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via the serial tty interface.
test -x $RESTORE || exit 0
test -x $STAT || exit 0
# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
  echo "Permissions for $IPSTATE must be 600 (rw-------)"
  exit 0
# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be
# zeroed per our previous check; but we must make sure root owns it.
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then
  echo "The superuser must have ownership for $IPSTATE (uid 0)"
  exit 0
# Now we are ready to restore the tables

Then make sure you make the script executable:

chmod +x iptables
chown root:root iptables

It loads the settings from $IPSTATE - by default, /etc/iptables.conf. You have to save the rules manually; this ensures that you make sure your rules are working properly (i.e. doesn't block you from logging in remotely, for example) before you decide to save them.

You do this running the command: "iptables-save > /etc/iptables.conf" (or whatever file you have chosen to use as your $IPSTATE file)

3 Ressources