Package: iptables Version: 1.4.6-2 Severity: wishlist Tags: sid lenny squeeze
Hey, Many users are confused because there is no default Debian-way of configuring iptables rules at startup (since the rc?.d script was removed). Because many are seeking this feature, I would like to suggest a clean if-pre-up solution for this for those who manage their network with ifupdown. I tought, because so many packages nowadays install their scripts in /etc/network/if-*.d/, iptables could too. It must be a script with its associated files that don't do anything restricting by default. Attached are 3 files that should be placed in: /etc/network/if-pre-up.d/iptables /etc/network/iptables.up.rules /etc/network/iptables.allowall.rules The if-pre-up script is pretty simple and it primarily tries to restore iptables rules from file '/etc/network/iptables.up.rules', but if it doesn't exist it runs the custom iptables setup script '/etc/network/iptables.up.run'. This way a user could either store its iptables configuration that would be restored after reboot with: iptables-save > /etc/network/iptables.up.rules In case he makes a mistake and would like to reset iptables as fast as possible he could: iptables-restore < /etc/network/iptables.allowall.rules Users who want to use their custom iptables setup script instead of rules files could remove the 'iptables.up.rules' file and put their script under '/etc/network/iptables.up.run' so that it is run after reboot. All this scripts are also extremely useful in combination with this iptables- apply features: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580941 This allows you to modify your custom iptables setup script and be sure that only the last working iptables rules will get restored after reboot. After each modification you just run: iptables-apply -w /etc/network/iptables.up.rules -c /etc/network/iptables.up.run And you iptables setup script (iptables.up.run) will be executed and working resulting rules stored in iptables.up.rules that get loaded after reboot with the if-pre-up script. Any questions? Greetings, gw -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (900, 'testing'), (800, 'testing-proposed-updates'), (600, 'unstable'), (500, 'lenny'), (500, 'karmic'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iptables depends on: ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib iptables recommends no packages. iptables suggests no packages. -- no debconf information
#!/bin/sh # Set up iptables using rules file or run script # Copy file and modify these to ip6tables for IPv6 RESTORE="/sbin/iptables-restore" RULESFILE="/etc/network/iptables.up.rules" RUNCMD="/etc/network/iptables.up.run" # Set it up only once (when the loopback interface comes up) [ "$IFACE" != "lo" ] && exit 0 # Configure iptables using rules file when possible, else use the run script if [ -r "$RULESFILE" ]; then "$RESTORE" < "$RULESFILE" elif [ -x "$RUNCMD" ]; then "$RUNCMD" fi
# iptables up rules *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT
# iptables allow all rules *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT
