From ArchWiki
Revision as of 19:55, 28 September 2013 by Lahwaacz (talk | contribs) (NAT Firewall: rm closed discussion)
Jump to: navigation, search

Starting iptables before network

Shouldn't this page explain how to set up systemd to start iptables before the network interfaces are up? I read Systemd and I will be trying this:

$ sudo vim /etc/systemd/system/network.service
Requires=iptables.service - added by me 
After=iptables.service - added by me
ExecStart=/sbin/ip link set dev ${interface} up
ExecStart=/sbin/ip addr add ${address}/${netmask} broadcast ${broadcast} dev ${interface}
ExecStart=/sbin/ip route add default via ${gateway}
ExecStop=/sbin/ip addr flush dev ${interface}
ExecStop=/sbin/ip link set dev ${interface} down

however, I have no clue if this is correct or not. Doru001 (talk) 17:28, 27 January 2013 (UTC)

That's the way to do it. Consider adding "ip6tables.service" for IPv6 connections if it's required. A much cleaner and safer solution would be to have the actual iptables services start before any kind of network is available. This needs a "" (and possibly more) listed in the Unit sections. If you could test it, I'm sure the iptables packager would be happy to hear from you at Bug #33478. --Gilrain (talk) 16:39, 8 February 2013 (UTC)
Following from your bug report I have done this:
$ cat /usr/lib/systemd/system/iptables.service
Description=Packet Filtering Framework
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
Seems to be working, but I don't know how to check that it starts when it should, it is possible that journalctl is not started before it. Doru001 (talk) 14:53, 13 July 2013 (UTC)
Use "systemd-analyze plot > bootchart.svg" to check the complete start-up sequence. You should see iptables.service near the top, in the middle and further down (at least, that what it looks like with UFW). Also, does iptables really need "After=systemd-sysctl.service" or is it there because of a quick copy-paste? --Gilrain (talk) 19:36, 13 July 2013 (UTC)
That was a quick copy-paste, but it makes sense to me to configure the kernel before iptables and iptables before sysinit. If you have a better iptables.service unit then please post it here. Thank you for systemd-analyze plot. Doru001 (talk) 08:58, 14 July 2013 (UTC)
Using in this case would be wrong, it breaks dependencies between targets. Note that iptables.service is, is started after I think the correct way to do this is by placing iptables.service into, which is started after but before All services configuring network interfaces are in, so is necessarily started after -- Lahwaacz (talk) 17:40, 25 July 2013 (UTC)
Not really, WantedBy does not mean Before and in fact the start order is: iptables.service, and, with many other units started between them. See Requires in man systemd.unit. Not only that WantedBy has nothing to do with Before as many newcomers believe, but you confuse it with After. So this configuration says: if you start, then also start iptables.service. When should you start iptables.service? Before! I don't know what happens when is already started. And yes, systemd is uncomfortable, to say the least (join us on this). Doru001 (talk) 09:18, 4 September 2013 (UTC)