Onion Information
Using iptables with systemd-networkd
I used to rely on ifupdown to bring up my iptables firewall automatically using a config like this in /etc/network/interfaces : but I wanted to modernize my network configuration and make use of systemd-networkd after upgrading one of my se...
Onion Details
Page Clicks: 0
First Seen: 03/11/2024
Last Indexed: 10/21/2024
Onion Content
I used to rely on ifupdown to bring up my iptables firewall automatically using a config like this in /etc/network/interfaces : allow-hotplug eno1 iface eno1 inet dhcp pre-up iptables-restore /etc/network/iptables.up.rules iface eno1 inet6 dhcp pre-up ip6tables-restore /etc/network/ip6tables.up.rules but I wanted to modernize my network configuration and make use of systemd-networkd after upgrading one of my servers to Debian bookworm . Since I already wrote an iptables dispatcher script for NetworkManager , I decided to follow the same approach for systemd-networkd. I started by installing networkd-dispatcher : apt install networkd-dispatcher moreutils and then adding a script for the routable state in /etc/networkd-dispatcher/routable.d/iptables : #!/bin/sh LOGFILE=/var/log/iptables.log if [ "$IFACE" = lo ]; then echo "$0: ignoring $IFACE for \`$STATE'" | ts >> $LOGFILE exit 0 fi case "$STATE" in routable) echo "$0: restoring iptables rules for $IFACE" | ts >> $LOGFILE /sbin/iptables-restore /etc/network/iptables.up.rules 2>&1 | ts >> $LOGFILE /sbin/ip6tables-restore /etc/network/ip6tables.up.rules 2>&1 | ts >> $LOGFILE ;; *) echo "$0: nothing to do with $IFACE for \`$STATE'" | ts >> $LOGFILE ;; esac before finally making that script executable (otherwise it won't run): chmod a+x /etc/NetworkManager/dispatcher.d/pre-up.d/iptables With this in place, I can put my iptables rules in the usual place ( /etc/network/iptables.up.rules and /etc/network/ip6tables.up.rules ) and use the handy iptables-apply and ip6tables-apply commands to test any changes to my firewall rules. Looking at /var/log/iptables.log confirms that it is being called correctly for each network interface as they are started. Finally, create a new /etc/logrotate.d/iptables-local file to ensure that the log file does not grow unbounded: /var/log/iptables.log { monthly rotate 1 nocreate nomail noolddir notifempty missingok } RSS Atom Sorry to interupt but what's about nftables? I have not yet switched to nftables, though it's on my list. In other words, I don't know yet. Add a comment