[CentOS] Putting nat routing into place permanently? -- service iptables save
dale at EckhardtTrading.com
Fri Nov 4 16:42:45 UTC 2005
Peter Farrow wrote:
>Rc.local is used explicitly for the running of scripts after the system
>Putting your own firewall scripts in here is a good place to put them
>rather than relying on "service iptables save", this is because the
>visibility of changes is poor when using the "service iptables save"
>some one either inadvertantly or otherwise may modify the iptables and
>re-issue a "service iptables save" and have it reloaded at boot quite
Visibility aside, isn't rc.local much too late for setting up iptables?
My /etc/rc.d/rc3.d/ has an S08iptables and an S10network, then lots more,
including an S99local, and then after all this, rc.local is run. By this
time, the network has already been up. It seems to me that if you want
to do some iptables setup, it must be done before S10network, or it
leaves a short-time security hole.
Personally, I set up the iptables I want and then do
service iptables save
If I was worried about changes, I guess I'd modify S08iptables to check
that nothing has changed, or add an S07checkiptables script.
(This is my first post to this mailing list, so I hope I've done it
More information about the CentOS