# Modify iptables rules on interface state changes...

## The_Great_Sephiroth

I am trying to figure out the best way to modify iptables rules when an interface comes up or goes down. I use NetworkManager. For VPN (ppp) connections this is simple. I simply add a small script to add or remove the rules to /etc/ppp.d/ip-up.d or /etc/ppp.d/ip-down.d and all is good. How can I do this with both my wired and wireless connections? I always allow all traffic on loopback, of course.

Just to be clear, what I am looking for is for everything to be dropped except loopback traffic. Once the wired (enp0s25) and wireless (wlp12s0) interfaces come up, rules are added for them individually. If I bring down the wireless, such as with the switch on the side of my PC, those rules are deleted. If I turn it on again, the rules are added again. How can I do this?

----------

## szatox

 *Quote:*   

> Just to be clear, what I am looking for is for everything to be dropped except loopback traffic

  Well... Don't bring your interfaces up?

Or use this:

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

iptables -A INPUT ACCEPT -i lo

iptables -A OUTPUT ACCEPT -o lo

I've just noticed I have accidentaly made high-speed train   :Cool: 

----------

## The_Great_Sephiroth

What I meant was drop everything by default except on lo. Once something like enp0s25 comes up, apply rules which allow everything out, but only SMB and SSH in. I know how to write the rules, but I do not know how to apply them when an interface changes its state.

----------

## Ant P.

So you want... disabling the wireless to also remove your wired network access?

----------

## The_Great_Sephiroth

No, I have a set of rules for each interface. For example, I only allow SSH on my wired interface since my wireless interface is normally used while on the go and at public places. Same for SMB.

----------

## Ant P.

What are you trying to achieve exactly that requires this deleting of rules every time an interface is down? What problem are you currently having by leaving them there as the first reply suggests?

----------

## The_Great_Sephiroth

A lot of times I do not have my wireless active. During this time, the rules for my WLAN are still active. On other distros if I applied a rule for an interface which did not exist, I got a warning. I was just trying to fix those being logged.

----------

## Hu

No warnings should be generated by iptables for missing interfaces.  Perhaps you should tell us what is logging the junk warnings so we can help you fix that.

----------

## The_Great_Sephiroth

I'll check. They may not be logged in Gentoo. In Debian I would get a warning about the interface not existing. I may have been attempting to stomp a bug that didn't exist in Gentoo.

----------

## UberLord

If you use dhcpcd to manage your interfaces, dhcpcd will call out to dhcpcd-run-hooks( :Cool:  for each state transition so you can manage your iptable modifications in /etc/dhcpcd.exit-hook.

dhcpcd can also run this for your ppp interfaces allowing you to centralise this.

----------

## szatox

I really don't know why you're trying to write rules for every single interface and only apply it when interface is active. Rules for inactive interfaces do nothing anyway as there is no traffic they can filter. What's the problem?

You want to blok everything? Good, just do that. Don't block eth0, then wlan0, then tap0. Just block all incoming traffic instead of checking it's source and if condition matches then block it, and if it doesn't match, block it anyway.

If you want to block all incoming traffic except for ssh, then be it.

iptables -A INPUT --dport 22 -j ACCEPT

will let ssh in.

iptables -P INPUT DROP

will still keep all other traffic away.

Generic over specific and keep things simple. Well, at least unless you're not doing it just for the sake of doing it.

----------

