Additional Context (may be skipped)
I'm trying to set up psad on my system, which requires to add a rule to the iptables iptables -A INPUT -j LOG
. Of course, this rule will get flushed upon reboot, so i looked into ways of making it persistent (of which there are many).
While the iptables-persistent
package seems to be the most convenient solution, I cannot use it, as it clashes with the docker daemon running on the system, as iptables-persistent
just runs iptables-restore < /etc/iptables/rules.v4
without the -n
flag, which may destroy any changes to iptables from the docker-daemon.
Actual Question
So I didn't want to disable the automatic iptable rules from the docker daemon entirely, as it just creates a huge maintenance hassle, so I just added a script
#!/bin/bash
iptables-restore -n < /etc/network/iptables.rules
to /etc/network/if-pre-up.d
with chmod +x
and saved the configuration without the docker rules with iptables-save > /etc/network/iptables.rules
.
The file iptables.rules
then just says
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -j LOG
But when I reboot the system, i see the rule -A INPUT -j LOG
three times. My current guess is that this may be because /etc/network/firewall
gets executed multiple times (because there are multiple interfaces??).
How do I resolve this issue? Note that rc.local
is deprecated and not meant for this purpose as it is not run when the iptables service is restarted.
Best Answer
In the end I just created a systemd service that runs the script once and removed it from
if-pre-up.d