# edit iptables config for relocation

## petr999

Can I setup static iptables rules elsewhere in Gentoo's RC/init without actually applying them?

I mean to relocate  the Gentoo machine to the different place and therefore different IP address need to change IP address in the every configuration setting but not apply the actually while the machine is still in the old place with old IP address.

I need to schedule the proper shutdown to the time pointed, typically it's too early in the morning.

Then, the data center employees take the Gentoo machine to the truck, relocate it and plug it in the different place.

This may happen any time of the day and I'm not alerted at the exact time this to happen.

For FreeBSD I have my ipfw.rules and for RedHat-derived I have something like /etc/sysconfig/iptables for this.

But not on Gentoo, because the /var/lib/iptables/rules-save use to get rewritten on the every shutdown. This is probably needed for saving the packets and bytes counts which is a no sense to me.

I'm confused much to see no this feature on the surface because it is a must for production survival.

Probably I may want to temporarily disable the init.d/iptables save from execution on the shutdown? But there is no such a feature to seem separated from iptables start/stop enable/disable itself to be enabled on Gentoo's RC/init

Thank you.

----------

## Sadako

Check out /etc/conf.d/iptables, where not only can you disable "SAVE_ON_STOP" (which is of no use to me, either), but also change the location of the rules save file with the "IPTABLES_SAVE" variable.

----------

## Hu

Although obviously weaker than requiring an exact IP match, a workaround may be to rewrite your rules to filter by interface instead of destination address.  For example, restrict traffic entering on wan0, but allow lan0.  This way, as long as the data center plugs wan0 into the upstream link and lan0 into the downstream, your rules will do the right thing without knowing the exact addresses.

----------

## d2_racing

Also, you should create a .sh file that contain actually the rules that you want to keep.

Like I did here : http://gentoo-quebec.org/wiki/index.php/Utilisation_de_Iptables_pour_un_seul_ordinateur

----------

## Hu

Such scripts can be useful for debugging, but relying on them long term can get you into trouble if the kernel is ever built without support for one of your rules.  Depending on the script, the script will either ignore the error and continue, which could leave your firewall in a vulnerable state or it might stop at the failed line, which also could leave the firewall in a vulnerable state.  I suggest instead saving off a copy of the iptables-save contents, which can be loaded atomically.  This way, you can start the firewall in a fail-safe or fail-secure setting (depending on preference) and then atomically load the saved rules.  If the kernel refuses the saved rules, the firewall is not left in a half configured state.

----------

## Sadako

 *Hu wrote:*   

> Such scripts can be useful for debugging, but relying on them long term can get you into trouble if the kernel is ever built without support for one of your rules.  Depending on the script, the script will either ignore the error and continue, which could leave your firewall in a vulnerable state or it might stop at the failed line, which also could leave the firewall in a vulnerable state.

 While this is very true, you can have the best of both worlds.

Just "echo" your rules within the script, rather than loading them via /sbin/iptables, followed by an `echo COMMIT`, and pipe all this output to iptables-restore, which is essentially the same thing done via the init script.

There is a little more to it than that, of course, as the rules have to follow the syntax of the typical files generated by iptables-save, so for example you'd need 'echo ":FOO - [0:0]"' to create chain "FOO", and something similar for setting default policies, but sed could take care of that for you easily.

You could also this;

```
/sbin/iptables-restore <<-EOF

-A INPUT ${FOO} ${BAR}

yadda yadda yadda

COMMIT

EOF
```

which will give you the use of variables alongside the robustness of using iptables-restore for loading the rules, but doesn't allow the use of conditional statements or loops.

Hmm, now you've got me thinking of an alternative iptables init script which could load via iptables-restore from scripts rather than straight files, one script per table and a common config file, should actually be fairly simple to put together...

----------

## Hu

Yes.  For the systems where I need dynamic rules, I have a perl script to translate a template file into something suitable for consumption by iptables-restore.  It uses auxiliary configuration files to learn things like the IP address of an interface, then splices that into the template.  This also provides a good separation of logic from variable state.  The perl script is portable across systems, while the templates are specific to each system's purpose.

----------

## petr999

Excellent people! you're all so fast and detailed...

Now, I'm about to be more generic by approach and silent, but need this for that:

1. conf.d/iptables sounds best for me and it was the first I was looking for. But there is no any, even  empty file with such a name out there.

I was all about searching for it in a Gentoo Handbook. No any mention, despite it is expected to be there like it is in the FreeBSD Handbook. I even had no such an idea about it after looking into init.d/iptables . Is this documented anywhere? ( @Hopeless )

2.  Commonly iptables are used binded to the interfaces. But I need them different, for several different IP addresses on the same interface in such a particular case. ( @Hu )

3.  The iptables.sh looks the same thing as I already had when I same here: it applies the new iptables rules, and they should be saved afterwards. I need them to be saved, but not applied, before the shutdown, and applied only after power is up and RC is starting. ( @d2_racing )

Being said that, I prefer perl over sed, and seem to give a hint about you thinking for new proposals on initscripts change? I'd prefer docs to be more detailed, with changes on init or not, cause I guess it's not the last Gentoo machine I should deal with in a nearest futures ;-)

----------

## petr999

Ouch! sorry, I have the /etc/conf.d/iptables at a second look :)

----------

