Question about /etc/iptables.down.rules
Покотиленко
Покотиленко
Mon Aug 27 10:42:30 CEST 2007
В Вск, 26/08/2007 в 22:01 -1000, TinyApps.Org пишет:
> Thanks for your reply, Покотиленко! (I hope that is the correct name
> to use.)
> My reply is at the bottom of this message:
>
> >> I understand that it is best to setup a set of rules to be applied
> >> when the network interface is down, saving it to:
> >>
> >> /etc/iptables.down.rules
> >>
> >> and applying in /etc/network/interfaces via:
> >>
> >> post-down iptables-restore < /etc/iptables.down.rules
> >>
> >> What should this set of rules look like? The exact opposite
> >> of /etc/iptables.up.rules ? Or just a simple flush command?
> >> Or something else altogether?
> >
> > You can do a simple flush, but this is not required, since all rules
> > will be overwritten by iptables-restore when you bring network
> > interface
> > up next time.
>
> I had stumbled across the following comment:
>
> "But to do this really clean, we need to have a script that removes
> the rules as well for when the interface goes down. Just to make sure
> the rules are never added twice."
>
> on this site:
> http://my.opera.com/Jada0007/blog/show.dml/1213354
>
> and therefore wondered if there were ever a case in which
> the rules could be applied twice... by creating a /etc/
> iptables.down.rules
> file, I hoped to avoid such a possibility.
man iptables-restore states:
...
-n, --noflush
don't flush the previous contents of the table. If not specified,
iptables-restore flushes (deletes) all previous contents
of the
respective IP Table.
...
So, make sure you won't use "-n" option when calling iptables-restore.
--
Покотиленко Костик <casper at meteor.dp.ua>
More information about the netfilter
mailing list