Lancer les règles de Firewalling avant que les interfaces deviennent up
Contents
1 Introduction
There used to be a script to do it automatically via init.d files, but now the suggested method is to use ifup.d networking scripts, which are executed on state changes of the network interfaces. So I submit here my simple script, which does the trick for me nicely.
2 Configuration
Drop this script into /etc/network/if-pre-up.d in a file called iptables :
 /etc/network/if-pre-up.d/iptables
|
#!/bin/sh # Load iptables rules before interfaces are brought online # This ensures that we are always protected by the firewall # # Note: if bad rules are inadvertently (or purposely) saved it could block # access to the server except via the serial tty interface. # RESTORE=/sbin/iptables-restore STAT=/usr/bin/stat IPSTATE=/etc/iptables.conf test -x $RESTORE || exit 0 test -x $STAT || exit 0 # Check permissions and ownership (rw------- for root) if test `$STAT --format="%a" $IPSTATE` -ne "600"; then echo "Permissions for $IPSTATE must be 600 (rw-------)" exit 0 fi # Since only the owner can read/write to the file, we can trust that it is # secure. We need not worry about group permissions since they should be # zeroed per our previous check; but we must make sure root owns it. if test `$STAT --format="%u" $IPSTATE` -ne "0"; then echo "The superuser must have ownership for $IPSTATE (uid 0)" exit 0 fi # Now we are ready to restore the tables $RESTORE < $IPSTATE |
Then make sure you make the script executable:
|
chmod +x iptables chown root:root iptables |
It loads the settings from $IPSTATE - by default, /etc/iptables.conf. You have to save the rules manually; this ensures that you make sure your rules are working properly (i.e. doesn't block you from logging in remotely, for example) before you decide to save them.
You do this running the command: "iptables-save > /etc/iptables.conf" (or whatever file you have chosen to use as your $IPSTATE file)
