1 |
On 7/5/06, James <wireless@×××××××××××.com> wrote: |
2 |
|
3 |
> > 1) /etc/init.d/iptables save |
4 |
|
5 |
> This will work if one loads the rules manually at the command line. |
6 |
> Where do I put a scirpt of iptables command, so it is read the |
7 |
> rule sets generated and then saved into /var/lib/iptables/rules-save? |
8 |
|
9 |
Anywhere you like. All that matters is that you run it so your |
10 |
iptables are setup like you want, then run "/etc/init.d/iptables save" |
11 |
followed by "rc-update -a iptables default". |
12 |
|
13 |
> After that if I want to modify the rules, I edit my script, run |
14 |
> my script manually, then issue: |
15 |
> "iptables-save > /var/lib/iptables/rules-save" |
16 |
|
17 |
No, "/etc/init.d/iptables save" is the better choice. The file might |
18 |
move, or the format change, or something similar. |
19 |
|
20 |
> If I want to then test the rules, without rebooting, I issue: |
21 |
> |
22 |
> /etc/init.d/iptables stop |
23 |
> /etc/init.d/iptables start |
24 |
|
25 |
Not necessary. After running your script, the tables will be setup |
26 |
according to the script, and you can test away. You probably want |
27 |
your script to have the following at the top: |
28 |
|
29 |
iptables -F |
30 |
iptables -P INPUT ACCEPT |
31 |
iptables -P OUTPUT ACCEPT |
32 |
iptables -P FORWARD DROP |
33 |
|
34 |
This flushes all rules, and resets the default policies, so that only |
35 |
the rules that you specify later take effect. Very useful for |
36 |
clearing out old artifacts of stuff... |
37 |
|
38 |
> What I'm looking for is the series of steps to |
39 |
> 1. Where best to locate my script? |
40 |
|
41 |
Mine is in ~/bin/. |
42 |
|
43 |
> 2. Insert (new) commands into the script. |
44 |
|
45 |
$EDITOR |
46 |
|
47 |
> 3. convert new scrited commands into rulesets |
48 |
> 4. Load rulesets into the /var/lib/iptables/rules-save |
49 |
|
50 |
Don't do this. Run your script, and let "/etc/init.d/iptables save" do |
51 |
the work for you. |
52 |
|
53 |
> 5. Restart the iptables/netfilter firewall |
54 |
|
55 |
If you flush/reset like I describe above, this is not necessary, just |
56 |
run your script. |
57 |
|
58 |
> If what I work above [A] is correct then I just need some suggestions |
59 |
> as to where the scipt should be located under /etc/, for |
60 |
> consistentcy with gentoo mindsets. |
61 |
|
62 |
You can put it anywhere you like. I prefer ~/bin/ since there I know |
63 |
it is *not* something that Gentoo created. |
64 |
|
65 |
-Richard |
66 |
-- |
67 |
gentoo-user@g.o mailing list |