Mailing List Archive: Question about /etc/iptables.down.rules

Question about /etc/iptables.down.rules

Aug 26, 2007, 6:51 PM

Post #1 of 5 (2872 views)

I have a very simple set of iptables rules:

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT
# iptables -I INPUT -i lo -j ACCEPT
# iptables -A INPUT -j DROP

which has been saved to /etc/iptables.up.rules .

I have also modified /etc/network/interfaces to use the ruleset:

iface eth0 inet static
address x.x.x.x
[.. interface configuration ..]
pre-up iptables-restore < /etc/iptables.up.rules

I understand that it is best to setup a set of rules to be applied
when the network interface is down, saving it to:

/etc/iptables.down.rules

and applying in /etc/network/interfaces via:

post-down iptables-restore < /etc/iptables.down.rules

What should this set of rules look like? The exact opposite
of /etc/iptables.up.rules ? Or just a simple flush command?
Or something else altogether?

Sincerely,

Miles

Re: Question about /etc/iptables.down.rules [ In reply to ]

casper at meteor

Aug 27, 2007, 12:52 AM

Post #2 of 5 (2754 views)

Permalink

÷ ÷ÓË, 26/08/2007 × 15:51 -1000, TinyApps.Org ÐÉÛÅÔ:
> I have a very simple set of iptables rules:
>
> # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> # iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT
> # iptables -I INPUT -i lo -j ACCEPT
> # iptables -A INPUT -j DROP
>
> which has been saved to /etc/iptables.up.rules .
>
> I have also modified /etc/network/interfaces to use the ruleset:
>
> iface eth0 inet static
> address x.x.x.x
> [.. interface configuration ..]
> pre-up iptables-restore < /etc/iptables.up.rules
>
> I understand that it is best to setup a set of rules to be applied
> when the network interface is down, saving it to:
>
> /etc/iptables.down.rules
>
> and applying in /etc/network/interfaces via:
>
> post-down iptables-restore < /etc/iptables.down.rules
>
> What should this set of rules look like? The exact opposite
> of /etc/iptables.up.rules ? Or just a simple flush command?
> Or something else altogether?

You can do a simple flush, but this is not required, since all rules
will be overwritten by iptables-restore when you bring network interface
up next time.

--
ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË <casper@meteor.dp.ua>

Re: Question about /etc/iptables.down.rules [ In reply to ]

miles at tinyapps

Aug 27, 2007, 1:01 AM

Post #3 of 5 (2741 views)

Permalink

Thanks for your reply, ðÏËÏÔÉÌÅÎËÏ! (I hope that is the correct name
to use.)
My reply is at the bottom of this message:

>> I understand that it is best to setup a set of rules to be applied
>> when the network interface is down, saving it to:
>>
>> /etc/iptables.down.rules
>>
>> and applying in /etc/network/interfaces via:
>>
>> post-down iptables-restore < /etc/iptables.down.rules
>>
>> What should this set of rules look like? The exact opposite
>> of /etc/iptables.up.rules ? Or just a simple flush command?
>> Or something else altogether?
>
> You can do a simple flush, but this is not required, since all rules
> will be overwritten by iptables-restore when you bring network
> interface
> up next time.

I had stumbled across the following comment:

"But to do this really clean, we need to have a script that removes
the rules as well for when the interface goes down. Just to make sure
the rules are never added twice."

on this site:
http://my.opera.com/Jada0007/blog/show.dml/1213354

and therefore wondered if there were ever a case in which
the rules could be applied twice... by creating a /etc/
iptables.down.rules
file, I hoped to avoid such a possibility.

Sincerely,

Miles

Re: Question about /etc/iptables.down.rules [ In reply to ]

casper at meteor

Aug 27, 2007, 1:42 AM

Post #4 of 5 (2741 views)

Permalink

÷ ÷ÓË, 26/08/2007 × 22:01 -1000, TinyApps.Org ÐÉÛÅÔ:
> Thanks for your reply, ðÏËÏÔÉÌÅÎËÏ! (I hope that is the correct name
> to use.)
> My reply is at the bottom of this message:
>
> >> I understand that it is best to setup a set of rules to be applied
> >> when the network interface is down, saving it to:
> >>
> >> /etc/iptables.down.rules
> >>
> >> and applying in /etc/network/interfaces via:
> >>
> >> post-down iptables-restore < /etc/iptables.down.rules
> >>
> >> What should this set of rules look like? The exact opposite
> >> of /etc/iptables.up.rules ? Or just a simple flush command?
> >> Or something else altogether?
> >
> > You can do a simple flush, but this is not required, since all rules
> > will be overwritten by iptables-restore when you bring network
> > interface
> > up next time.
>
> I had stumbled across the following comment:
>
> "But to do this really clean, we need to have a script that removes
> the rules as well for when the interface goes down. Just to make sure
> the rules are never added twice."
>
> on this site:
> http://my.opera.com/Jada0007/blog/show.dml/1213354
>
> and therefore wondered if there were ever a case in which
> the rules could be applied twice... by creating a /etc/
> iptables.down.rules
> file, I hoped to avoid such a possibility.

man iptables-restore states:
...
-n, --noflush

don't flush the previous contents of the table. If not specified,
iptables-restore flushes (deletes) all previous contents
of the
respective IP Table.
...

So, make sure you won't use "-n" option when calling iptables-restore.

--
ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË <casper@meteor.dp.ua>

Re: Question about /etc/iptables.down.rules [ In reply to ]

miles at tinyapps

Aug 27, 2007, 10:44 AM

Post #5 of 5 (2750 views)

Permalink

>> I had stumbled across the following comment:
>>
>> "But to do this really clean, we need to have a script that removes
>> the rules as well for when the interface goes down. Just to make sure
>> the rules are never added twice."
>>
>> on this site:
>> http://my.opera.com/Jada0007/blog/show.dml/1213354
>>
>> and therefore wondered if there were ever a case in which
>> the rules could be applied twice... by creating a /etc/
>> iptables.down.rules
>> file, I hoped to avoid such a possibility.
>
> man iptables-restore states:
> ...
> -n, --noflush
>
> don't flush the previous contents of the table. If not
> specified,
> iptables-restore flushes (deletes) all previous contents
> of the
> respective IP Table.
> ...
>
> So, make sure you won't use "-n" option when calling iptables-restore.

Thanks, ðÏËÏÔÉÌÅÎËÏ! I'm glad to hear that's all it takes.

Gratefully,

Miles