I got to thinking about something the other day when I rebuilt my webserver using Debian 5.0. How does Debian/Ubuntu standardize on reloading the iptables rules at boot time?
I know that Red Hat and its variants use the /etc/sysconfig/iptables file as a save and restore point, and there is an init script, iptables, that starts at boot prior to the network script, but is there a similar standard on Debian/Ubuntu?
The solution I’ve come up with (and I’m very curious to hear what others have done) is the following:
First, I manually enter my base iptables rules…
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 184.108.40.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 220.127.116.11/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 18.104.22.168/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable
*(ip addresses have been scrambled to protect their identity) 🙂
I then run:
iptables-save > /etc/default/iptables
From this point forward I manually update my ruleset by editing the file directly with a text editor.
To reload these rules at boot-time I have added a line to my /etc/network/interfaces configuration as follows:
iface eth0 inet static
pre-up iptables-restore < /etc/default/iptables
That last line tells the machine that, before you activate these network settings, run iptables-restore and read from the file /etc/default/iptables. This seems to work well enough so far, but I’m still curious what others have done. Do you simply write an init script on your own and maintain the ruleset within that file? Do you use a file similar to what I’ve done, but source it via an init script? I’m curious, as there does not seem to be a standard that I’m aware of.