Debian Networking – Fix /etc/network/if-pre-up.d/iptables Being Ignored

debianiptablesnetworking

I want my iptables rules to automatically be loaded on startup. According to the wiki on Debian this can be done by placing a script with the name iptables in /etc/network/if-pre-up.d/ So I did, this is what it looks like:

cat /etc/network/if-pre-up.d/iptables 
#!/bin/sh
/sbin/iptables-restore < /etc/firewall/iptables.rules
/sbin/ip6tables-restore < /etc/firewall/ip6tables.rules

This script works: if I run it as root my firewall rules get applied. But on reboot there are no firewall rules. What am I doing wrong?

On request: the /etc/network/interfaces (I did not touch this file)

user@DebianVPS:~$ cat /etc/network/interfaces 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

Best Answer

Use the iptables-persistent package for this task.

Define your rules in /etc/iptables/rules.4 and /etc/iptables/rules.6 and don't forget to activate the service (using update-rc.d, chkconfig or you favourite tool.

Related Solutions

Debian – Bringing up network interface without IP configured in Debian, for XEN dom0

Oh dear... I think you're trying to use the Xen bridging stuff, which is just dire. Set network-script network-dummy in xend-config.sxp, then go with this config:

iface lo
iface lo inet loopback

# Local network, cable labeled M3
auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.1.184
    netmask 255.255.255.0
    gateway 192.168.1.1

# cable labeled M1
iface eth1 inet manual
    hwaddress ether 00:19:5B:33:86:D5

# cable labeled M2
iface eth2 inet manual
    hwaddress ether 00:19:5B:33:86:D3

auto br-eth1
iface br-eth1 inet manual
  bridge_ports eth1

auto br-eth2
iface br-eth2 inet manual
  bridge_ports eth2

What you then do is tell the domUs to use either the br-eth1 or br-eth2 bridge (as appropriate). Given that you've got cable labelling happening, I'd change the bridge names to something more useful, like perhaps m1 and m2.

Linux – Port forward + openVPN + iptables

Try these rules on your gateway:

-A PREROUTING -i $VPN_INTERFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination $INTERNAL_IP_DESTINATION:80
-A POSTROUTING -o $VPN_INTERFACE -j SNAT --to-source $VPN_IP_OF_SERVER
-A POSTROUTING -o $LAN_INTERFACE -j SNAT --to-source $LAN_IP_OF_SERVER

1st. one makes the port forwarding.
2nd. makes the source nat so every packet comming out of the VPN uses the server IP
3rd. makes the packets forwarded to the internal IP, have the soure nat of the server lan ip

Best Answer

Related Solutions

Debian – Bringing up network interface without IP configured in Debian, for XEN dom0

Linux – Port forward + openVPN + iptables

Related Topic