[CentOS] Putting nat routing into place permanently? -- service iptables save

Fri Nov 4 20:13:07 UTC 2005
Bryan J. Smith <thebs413 at earthlink.net>

Dale Dellutri <dale at EckhardtTrading.com> wrote:
> Visibility aside, isn't rc.local much too late for setting
> up iptables?

As at least 1 other has mentioned as well.

> My /etc/rc.d/rc3.d/ has an S08iptables and an S10network,
> then lots more, including an S99local, and then after all 
> this, rc.local is run.

FYI ... (Fedora Core 3) ...
  $ ls -la /etc/rc5.d/S99local
  ... /etc/rc5.d/S99local -> ../rc.local

> By this time, the network has already been up.  It seems to
> me that if you want to do some iptables setup, it must be
> done before S10network, or it leaves a short-time security
> hole.

Again, as at least 1 other has mentioned as well.

> Personally, I set up the iptables I want and then do
>    service iptables save
> If I was worried about changes, I guess I'd modify
> S08iptables to check that nothing has changed, or add an
> S07checkiptables script.

Such can be done with a conditional like ...
  [ "`rcsdiff /etc/sysconfig/iptables`" != "" ]

Which will return true if the file hasn't changed from the
last RCS check-in (which should be the last edit ;-).

> (This is my first post to this mailing list, so I hope I've
> done it correctly.)

Wrong!  @-ppp


-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)