Re: How to automate iptables-restore

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/15/2016 10:17 AM, jd1008 wrote:
> Following up on recent posts re: masking and disabling firewalld,
> I wanted to understand how to automate
> /usr/sbin/iptables-restore < /etc/sysconfig/my_iptables

The standard spot to keep your iptables configs before firewalld is in
the "/etc/sysconfig/iptables" file. That was true for years.

By default "systemctl start iptables" will do an iptables-restore from
the "/etc/sysconfig/iptables" file. On shutdown, "systemctl stop
iptables" will do an iptables-save to the "/etc/sysconfig/iptables"
file.

If you want to use a different file to store your configs, you need to
edit the /usr/lib/systemd/system/iptables.service file and modify the
line:

	ConditionPathExists=/etc/sysconfig/iptables

to reflect the file you want to use, e.g.

	ConditionPathExists=/etc/sysconfig/my_iptables

Don't forget to do a "systemctl daemon-reload" if you modify the service
file.

You will also have to modify the /usr/libexec/iptables/iptables.init
file. In there you'll see this construct:

	IPTABLES=iptables
	IPTABLES_DATA=/etc/sysconfig/$IPTABLES

so changing the first line to:

	IPTABLES=my_iptables

will make the second line set the IPTABLES_DATA variable now point at
/etc/sysconfig/my_iptables. IPTABLES_DATA is the variable used in the
remainder of that script as the storage point.

Really, it's just easier to use the standard /etc/sysconfig/iptables
file. That would keep you consistent with the pre-firewalld mechanisms
on older Fedora/CentOS/RHEL platforms that had been used for years.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-  Money won't buy happiness, but it will pay the salary of a large  -
-        research staff to study the problem. - Bill Vaughan         -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]
  Powered by Linux