В Вск, 26/08/2007 в 22:01 -1000, TinyApps.Org пишет: > Thanks for your reply, Покотиленко! (I hope that is the correct name > to use.) > My reply is at the bottom of this message: > > >> I understand that it is best to setup a set of rules to be applied > >> when the network interface is down, saving it to: > >> > >> /etc/iptables.down.rules > >> > >> and applying in /etc/network/interfaces via: > >> > >> post-down iptables-restore < /etc/iptables.down.rules > >> > >> What should this set of rules look like? The exact opposite > >> of /etc/iptables.up.rules ? Or just a simple flush command? > >> Or something else altogether? > > > > You can do a simple flush, but this is not required, since all rules > > will be overwritten by iptables-restore when you bring network > > interface > > up next time. > > I had stumbled across the following comment: > > "But to do this really clean, we need to have a script that removes > the rules as well for when the interface goes down. Just to make sure > the rules are never added twice." > > on this site: > http://my.opera.com/Jada0007/blog/show.dml/1213354 > > and therefore wondered if there were ever a case in which > the rules could be applied twice... by creating a /etc/ > iptables.down.rules > file, I hoped to avoid such a possibility. man iptables-restore states: ... -n, --noflush don't flush the previous contents of the table. If not specified, iptables-restore flushes (deletes) all previous contents of the respective IP Table. ... So, make sure you won't use "-n" option when calling iptables-restore. -- Покотиленко Костик <casper@xxxxxxxxxxxx>
