[CentOS] Putting nat routing into place permanently? -- /etc/rc.d/rc.local v. /etc/init.d/custom scripts

Bryan J. Smith thebs413 at earthlink.net
Thu Nov 3 15:22:49 UTC 2005 

Peter Farrow <peter at farrows.org> wrote:
> Rc.local is used explicitly for the running of scripts
> after the system has booted.

And most other Linux/UNIX implementations offer such as well.
 (some use a S99local symlink for the run-level so you can
turn it off).

However, I still prefer a dedicated script in /etc/init.d/
instead of /etc/rc.d/rc.local with start|stop|status|etc...

If you want, you can have that replace iptables (disable the
iptables).  In some cases, I do that.  In other cases, I have
my init.d script call the iptables to flush/reload/etc... as
appropriate.  I try to accomodate any set of changes.

> Putting your own firewall scripts in here is a good place
> to put them rather than relying on "service iptables save",
> this is because the visibility of changes is poor when
using
> the "service iptables save" some one either inadvertantly
or
> otherwise may modify the iptables and re-issue a "service
> iptables save" and have it reloaded at boot quite
> transparently.

Unfortunately, that doesn't address this issue if someone
modifies iptables and your changes in rc.local don't address
those (i.e., conflict) any better than "save" or an
additional /etc/init.d/ script.

Additionally, Which I _always_ run this command whenever I
modify _anything_ in /etc:  
  ci -l (file)

E.g.,
  cd /etc/sysconfig/
  [ ! -d RCS ] && mkdir RCS   (<-- optional)
  ci -l iptables

Now if anything changes the rules, I can run:  
  rcsdiff iptables

And know about it.

This is how I catch 95% of my client's admins who say "oh, I
didn't modify anything."  Sure enough, when I show them the
_exact_changes_ -- line-by-line -- they instantly confess.

I'd saved my butt countless times.  E.g., Windows/Exchange
admins who complain about DNS NS or MX records in our domain,
and accuse me of changing things.  I can show every single
modification over months at a client by always remembering to
RCS check-in my files.

In the end, it's really a matter of discipline, _regardless_
of how you do it.  No way is better than another -- although
having exact diffs of any changes at least shows you the
changes.

[ In fact, I sure wish RPM upgrades would run an RCS check-in
instead of renaming configuration files as .rpmnew and
.rpmsave. ] 

> Having it visible in rc.local makes it easily viewable to
> see if its been changed.

And using RCS check-ins gives you much greater detail,
regardless of what script you pick.

> I would not trust any system hosted on the net with the
> rather open ended "service iptables save".  The only
> benefit that this offers is that it brings the filewall up
> early on in the boot process, meaning at boot time the
> machine is protected sooner.

And creating your own /etc/init.d/ script would do the same
as well -- another advantage over /etc/rc.d/rc.local.

If you haven't noticed, I'm not advocating that you "have to
use" the "save" parameter to the "iptables" script (which
saves to /etc/sysconfig/iptables/).  I'm merely saying it's
best to use the /etc/init.d/ facilities -- be it the stock
iptables script, or your own in conjuction or replacement of
it.

I really try to avoid the "free for all" and "always at the
end" /etc/rc.d/rc.local -- except for maybe temporary,
boot-time debugging/resolution.

> To say that putting in rc.local is "not right" is really a
> bit misguided... :-)

I do _not_ think I _ever_ said that, nor did anyone else
(I'll have to go back through the archives to check others).

In fact, until this post, I don't think I said I even avoided
/etc/rc.d/rc.local.  If I'm going to do things more than
once, I like to create /etc/init.d/ scripts.

Of course, I'm anal on LSB too (I guess that started once I
got involved with LPI's exam writing events ;-).

> Furhtermore, some of my firewall scripts have conditions
> in them, which change the behaviour of the firewall when
> it runs depending on certain external criteria, can't see
> that happening in "service iptables save"

Not only do I agree with you, but I cited that exact point in
my post:  
http://lists.centos.org/pipermail/centos/2005-November/014223.html

  'If I have to do more complex things, I then write my own
   init script -- something that typically calls iptables
   after a flush of any tables so I start with "Red Hat's
   settings" before modifying them ...
   ... With some monitoring scripts, I bring up and take
   down all sorts of rules regularly by flushing, reloading
   and then running iptables and iproute2 commands.  The
   only 2 scripts -- in addition to the resident Perl
   script -- I use are the Red Hat iptables (initially
   setup and then "saved") and then my own "meshrouter"
   (it is a continually self-healing mesh network, so this
   is run and it modifies all sorts of things when faults
   are detected) scripts.'

Once again, I'll point out that creating a /etc/init.d/
script  is far more flexible.  You can put conditional
parameters, and reload, restart, statuc, etc... -- unlike
putting something in /etc/rc.d/rc.local.

And, lastly, I cannot emphasize using RCS liberally on
anything in /etc/.  You don't have to setup a repository,
just run "ci -l filename" and you've got a local ",v"
(versions) file.  Just do it everything you modify something
-- sometimes before (the check-in will tell you whether or
not it's been modified since your last check-in).


-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)

More information about the CentOS mailing list