On Sat, 18 Jul 2020 18:17:38 +0100, Terry Coles wrote: > Hi, > > It has been suggested that I add an iptables rule into some devices > and make it persistent by adding the rule to /etc/rc.local. > > I naively thought that iptables rules were persistent, but a quick > google throws up the idea of using iptables-save/iptables-restore > but also iptables- persistent. > > Is there a right way?
I wanted to know the answer to this a while ago, and I concluded that it doesn't matter enormously. As far as I could tell, it's a bring- your-own-persistence party and there is no one best way of doing it. It seems as though iptables-based firewall utilities are as numerous as text editors and desktop environments. Fundamentally, you've just got to make sure that, at some sensible moment during start-up, some commands; none in particular; will get run that will create the rule for you. iptables-restore is one way to do that, which might be helpful, so is iptables-persistent. Or, you could just as well run the commands that you originally used to create the rule. My solution was to write an init script that created my iptables rules, with the rules I wanted hard-coded into the script in a manner that was easily-editable. I thought that was a relatively neat way of doing it, but it's certainly not the only way. I might not have done it that way if I only wanted to load one simple rule. (For systemd, I suppose you would write a systemd unit instead.) If you were going to invest a lot of time in writing rules or scripts, nftables might be more futureproof than iptables. But for quick, simple rules, I wouldn't worry about that too much. Patrick -- Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk