On Sun, Apr 29, 2012 at 4:08 AM, Bonno Bloksma <b.blok...@tio.nl> wrote:
>>>>>> It's best to run an iptables script from "/etc/network/if-pre-up.d/". >>>>> Only for the rules which are related to a specific interface. >>>>> Ruleset initialization should not be done from there. >>>> >>>> Why not? >>> >>> Because it makes no sense to re-initialize the ruleset every time an >>> interface is activated. >>> >>>> Is this documented somewhere? If not, from where should iptables >>>> rules be launched? >>> >>> Iptables should be initialized from an initscript run before networking. >> >> I agree but until someone else pointed out that there was iptables- >> persistent for that, there was no packaged way of doing so. >> >> Until iptables-persistent was released in July 2009, there wasn't a >> packaged way of doing so and using "/etc/network/if-pre-up.d/" was the >> recommended way, as documented in the Debian wiki. > > I have been running iptable scripts for years but never ran them from > "/etc/network/if-pre-up.d/". In Debian I have always used the pre-up line > in the interfaces file, in RedHat I used the rc.local file or created my > own Sxx link in the rc.X drectories to get it started before the network > came up. > > The other way to save/load iptables rules has been to use iptables-save > and iptables-restore (or something like it) which I have used in the old > days when there was RedHat 4.x (before it came to be known as Fedora) and > so on. AFAIK, using "/etc/network/if-pre-up.d/" or "pre-up ..." in "/etc/network/interfaces" is essentially the same thing. (I don't understand why you use "rc.local" on RHEL/Fedora because they both have an iptables init script by default.) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=swrth33kevk6q0jp3td39jkh1jjefizqmzst70pkmx...@mail.gmail.com