[CentOS] Putting nat routing into place permanently? -- service iptables save

Bryan J. Smith thebs413 at earthlink.net
Mon Nov 7 12:03:46 UTC 2005

On Mon, 2005-11-07 at 10:38 +0000, Peter Farrow wrote:
> One final point, why would you want to change a firewall on runlevel 
> changes?

Oh, I can think of many, many reasons -- from different network services
between run-levels to X11 ports.  Sometimes you want to block and/or
forward based on what is running.

> On an internet facing machine this would seem an odd and risky 
> thing to do...

That's why I said _try_ to _always_ leave the "main iptables" script
running for _all_ run-levels, then add any supplemental script as
necessary.  That way ...

1) the "main iptables" script _always_ comes up before any network

2) is _never_ taken down (except for init 0 or init 6, of course), and

3) any supplemental script can be taking up/down as appropriate for init

Furthermore, when Red Hat gets more LSB compliant in Fedora Core 5 (so
RHEL5 as well), there will be dependency checking.  That will ensure
iptables is up before any network interfaces come up, and network
interfaces are taken down if the iptables rules go down -- depending on

> Get your firewall right, and you never need to change it unless the 
> function of the box changes, certainly have a firewall change on run 
> levels seems weird to me....

That still ignores the fact that you should let the "main iptables"
script run _before_ any network interfaces come up ... not after.
Several people pointed that out.  ;->

I think you're reaching at this point -- just let it go.  Use what you
wish, but respect why many may disagree.  From what I've seen, you're
asserting things that just aren't true with regards to run-levels.

No offense, but if you don't like SysV init, run BSD.  @-ppp

Bryan J. Smith     b.j.smith at ieee.org     http://thebs413.blogspot.com
The best things in life are NOT free - which is why life is easiest if
you save all the bills until you can share them with the perfect woman

More information about the CentOS mailing list