[CentOS] Putting nat routing into place permanently? -- service iptables save
Peter Farrow
peter at farrows.org
Thu Nov 3 13:32:09 UTC 2005
Rc.local is used explicitly for the running of scripts after the system
has booted.
Putting your own firewall scripts in here is a good place to put them
rather than relying on "service iptables save", this is because the
visibility of changes is poor when using the "service iptables save"
some one either inadvertantly or otherwise may modify the iptables and
re-issue a "service iptables save" and have it reloaded at boot quite
transparently.
Having it visible in rc.local makes it easily viewable to see if its
been changed.
I would not trust any system hosted on the net with the rather open
ended "service iptables save". The only benefit that this offers is
that it brings the filewall up early on in the boot process, meaning at
boot time the machine is protected sooner.
To say that putting in rc.local is "not right" is really a bit misguided...
:-)
Bryan J. Smith wrote:
>Preston Crawford <me at prestoncrawford.com> wrote:
>
>
>>Okay, here you lost me. Are you saying we run
>>/etc/sysconfig/iptables at boot for the various runlevels?
>>
>>
>
>Er, /etc/init.d/iptables (which will use
>/etc/sysconfig/iptables) at the various boot-levels, yes.
>E.g.,
> # chkconfig --level 2345 iptables on
>
>/etc/sysconfig/iptables is not a directly executable script,
>it's a config file with pseudo (and quite incomplete)
>iptables lines and other info.
>
>It is written (from the rules in memory) when you run:
> # sysconfig iptables save
>
>
>
More information about the CentOS
mailing list