Loading...
 

Dynamic iptables


Motivation


Background


The first goal is to provide a "default" set of scripts that correctly initialize iptables for both static and DHCP interfaces. DHCP causes some interesting situations (e.g. DHCP servers changing) that require special handling with iptables. The second goal is to give the user ultimate control over all aspects of interface initialization without needing to modify the base scripts.

There are three separate categories of rule scripts that are defined by the way the script is called. Initialization scripts are all called with start, stop, and restart parameters since these are called from /etc/rc?.d scripts. Interface scripts can be called either by the /etc/networking/if-*.d scripts or by the dhclient-*-hooks scripts. Typically only one of the methods is used to actually configure rules for a particular interface, however the scrips may be called by either or both of the subsystems. It is the responsibility of each configuration script to determine how it was called and act appropriately.


Theory of Operations

File List

Init Scripts

/etc/init.d/iptables
/etc/rcS.d/S37iptables -> ../init.d/iptables
/etc/rc6.d/K99iptables -> ../init.d/iptables
/etc/rc0.d/K99iptables -> ../init.d/iptables

Configuration Scripts

/etc/default/iptables
/etc/default/iptables.banned
/etc/default/firewall.conf

Interface Scripts

/etc/network/if-up.d/iptables-ifupdown -> /var/lib/iptables/ifupdown.sh
/etc/network/if-pre-up.d/iptables-ifupdown -> /var/lib/iptables/ifupdown.sh
/etc/network/if-post-down.d/iptables-ifupdown -> /var/lib/iptables/ifupdown.sh
/etc/network/if-down.d/iptables-ifupdown -> /var/lib/iptables/ifupdown.sh

DHCP Scripts

/etc/dhclient-enter-hooks
/etc/dhclient-exit-hooks
or
/etc/dhcp3/dhclient-enter-hooks.d/iptables-enter
/etc/dhcp3/dhclient-exit-hooks.d/iptables-exit

Main Distribution Folder

/var/lib/iptables/*

References














Original R&D Notes

Directories and Files

Tuesday, October 18, 2005
6:24 AM

Directory Structure
/etc/init.d/iptables
/etc/init.d/rc0&S.d/K??iptables
/etc/init.d/rc2.d/S38iptables
start - sets default policies and loads special rule sets.
reload -
stop -
Use /etc/init.d/ssh as a simple example

/etc/default/iptables
Contains all the config files

/etc/network/if-up.d/iptables
Logical link to /var/lib/iptables/ifupdown

/etc/dhclient-enter-hooks
Logical link to /var/lib/iptables/dhclient

/var/lib/iptables/
Contains the core scripts



Use Cases

Sunday, October 23, 2005
2:12 PM



Notepad

Wednesday, October 05, 2005
8:22 AM

1. Need an initial /etc/init.d&rcS.d/S38iptables script that will set the default policies and other items that might be needed. This can also install custom filter rules if needed (like for the honey spoon project).
2. Need /etc/network/if-up.d/iptables script that will initialize all filters for the interface coming up.
3. Need to determine how and which scripts will be called by the dhcpclient hooks
dhclient dhclient.leases dhclient-script dhclient.conf dhcp-options
Create a /etc/dhclient-enter-hooks that calls a script in the iptables scripts directory

a. Separate scripts for each interface that build the interface specific input and output filter rules. Main script adds the jump for each interface filter rule.
b. Virtualize inside/outside vs. eth0/eth1 and map eth0/eth1 to inside/outside in the config file. Config file defines ethxx mapping to script name (e.g. eth0=outside)
c. init.d/iptables, dhclient, and ifupdown will extract and populate common network variables when calling main.
d. main loads config entries
e. main calls script appropriate for the action and/or interface


/etc/init.d/iptables
|
/var/lib/iptables/main start
|
|<------>/etc/default/iptables
|
/var/lib/iptables/special2 <-----datafile?


/var/lib/iptables/dhclient /var/lib/iptables/ifupdown
| |
|<--------
|
/var/lib/iptables/main start "interface"
|
|<------>/etc/default/iptables
|
/var/lib/iptables/[loopback|inside|outside|other]


Config File
Defines mapping between interface and script (e.g. eth1=outside)
Defines each preload script
Defines the list of interfaces that auto start/stop

Use Cases
main start
Source the config script
Loops running each preload script (default policies, filter lists, etc.)
Loops starting all interfaces that start automatically

main start "interface"
Source the config script
Starts the specified interface

main stop
Source the config script
Loops stopping all interfaces that stop automatically
Loops running each preload script with the stop argument (default policies, filter lists, etc.)

main stop "interface"
Source the config script
Stops the specified interface

main restart "interface"
Source the config script
Restarts the specified interface






Script order
/etc/network/if-pre-up.d/iptables IFACE=eth0
/etc/dhclient-enter-hooks interface=eth0 reason=PREINIT
/etc/dhclient-enter-hooks interface=eth0 reason=ARPSEND
/etc/dhclient-enter-hooks interface=eth0 reason=ARPCHECK
/etc/dhclient-enter-hooks interface=eth0 reason=BOUND
/etc/network/if-up.d/iptables IFACE=eth0
… repeat for each interface

/etc/network/if-down.d/iptables IFACE=eth0 MODE=stop PHASE=pre-down
/etc/network/if-post-down.d/iptables IFACE=eth0 MODE=stop PHASE=post-down
… repeat for each interface

if-pre-up.d
lo
MODE=start
PHASE=pre-up
if-up.d
lo
MODE=start
PHASE=post-up
if-pre-up.d
eth0
MODE=start
PHASE=pre-up
dhclient-in
eth0
reason=PREINIT
dhclient-x
eth0
reason=PREINIT
dhclient-in
eth0
reason=ARPCHECK
dhclient-x
eth0
reason=ARPCHECK
dhclient-in
eth0
reason=ARPSEND
dhclient-x
eth0
reason=ARPSEND
if-up.d
eth0
MODE=start
PHASE=post-up
if-pre-up.d
eth1
MODE=start
PHASE=pre-up
dhclient-in
eth0
reason=BOUND
dhclient-x
eth0
reason=BOUND
if-up.d
eth1
MODE=start
PHASE=post-up

dhclient-in
eth0
reason=EXPIRE
dhclient-x
eth0
reason=EXPIRE
dhclient-in
eth0
reason=PREINIT
dhclient-x
eth0
reason=PREINIT
dhclient-in
eth0
reason=ARPCHECK
dhclient-x
eth0
reason=ARPCHECK
dhclient-in
eth0
reason=ARPSEND
dhclient-x
eth0
reason=ARPSEND
dhclient-in
eth0
reason=BOUND
dhclient-x
eth0
reason=BOUND

if-down.d
eth0
MODE=stop
PHASE=pre-down
if-down.d
eth1
MODE=stop
PHASE=pre-down
if-post-down.d
eth0
MODE=stop
PHASE=post-down
if-post-down.d
eth1
MODE=stop
PHASE=post-down


Here do the following:
cat > /etc/dhclient-enter-hooks
echo $0 $(date) | /usr/bin/logger -t dhclient
env | sort | /usr/bin/logger -t dhclient
^d <======= that is a control d
chmod +x /etc/dhclient-enter-hooks
service network restart
cat /tmp/dhc to see all the variable you have access to.
Pasted from <http://www.newsbackup.com/about403418.html>


  1. !/bin/sh
  2. *      dhclient-exit-hooks - Post processing dhcp client processor
  3. *
  4. *      This script is called from /sbin/dhclient-script.
  5. *      The variables exit_status, reason, and new* are set in
  6. *      /sbin/dhclient-script.
  7. *
  8. * Install:
  9. *      chmod +x dhclient-exit-hooks
  10. *      cp dhclient-exit-hooks /etc/dhclient-exit-hooks
logger -t dhclient-exit-hooks "Reason is $reason"
if $exit_status -eq 0 ; then
   if x$reason = xBOUND
x$reason = xRENEW
\
      x$reason = xREBIND || x$reason = xREBOOT; then

………………...

   fi
fi
exit 0

Pasted from <http://groups.google.com/group/alt.os.linux.mandrake/msg/c0637e5e61268f6>





                            • start dhclient-exit-hooks **************
  1. !/bin/sh
if x$reason = xBOUND
x$reason = xRENEW
\
   x$reason = xREBIND || x$reason = xREBOOT; then
     /etc/rc.d/./rc.updatedns
fi
                                  • end *****************


The file "/etc/rc.d/./rc.updatedns does several things for me. You can
see for yourself. Flavor to taste.
                                      • start rc.updatedns **************
  1. !/bin/bash
exec >> /var/log/dhclient.log 2>&1
  1. Updated by RP on 07/06/2003
  2. Show ip address
/bin/echo Interface eth1 has been assigned an IP address of
$new_ip_address
  1. Enter IP address into SNAT-LAN
ed /etc/rc.d/rc.firewall << EOF > /dev/null 2>&1
g/SNAT_LAN="192.168.100.0/s/:.*/:$new_ip_address"/
w
q
EOF
  1. Reset the firewall
/etc/rc.d/./rc.firewall > /dev/null 2>&1
  1. Wait to allow the firewall to be established
sleep 1s
  1. Run ez-ipupdate
/usr/bin/ez-ipupdate -S dyndns-custom -u xxxxx:xxxxxx -h \
piotro.net -i eth1 -b /tmp/ez -ipupdate.cache \
-N xxx... at wi.rr.com -R rich
  1. ====  End
                                  • end *******************************
Pasted from <http://groups.google.com/group/comp.os.linux.redhat/browse_thread/thread/57fdd35d4b63522c/40f5b474d4fd3bca?lnk=st&q=iptables+dhclient-exit-hooks&rnum=1&hl=en>



Renew Example #1

Tuesday, October 18, 2005
5:57 AM

Sep 25 21:52:24 deb iptables-init: /var/lib/iptables/dhclient : Interface eth0
Sep 25 21:52:24 deb iptables-init: PATH=/usr/ucb:/usr/bin:/usr/sbin:/bin:/sbin
Sep 25 21:52:24 deb iptables-init: PWD=/
Sep 25 21:52:24 deb iptables-init: SHLVL=2
Sep 25 21:52:24 deb iptables-init: _=/usr/bin/env
Sep 25 21:52:24 deb iptables-init: interface=eth0
Sep 25 21:52:24 deb iptables-init: new_broadcast_address=192.168.171.255
Sep 25 21:52:24 deb iptables-init: new_dhcp_lease_time=172800
Sep 25 21:52:24 deb iptables-init: new_dhcp_message_type=5
Sep 25 21:52:24 deb iptables-init: new_dhcp_server_identifier=192.168.171.205
Sep 25 21:52:24 deb iptables-init: new_domain_name=hsd1.tx.comcast.net.
Sep 25 21:52:24 deb iptables-init: new_domain_name_servers=64.7.11.2 63.240.76.198 204.127.199.8
Sep 25 21:52:24 deb iptables-init: new_expiry=1127875944
Sep 25 21:52:24 deb iptables-init: new_ip_address=192.168.171.220
Sep 25 21:52:24 deb iptables-init: new_network_number=192.168.171.0
Sep 25 21:52:24 deb iptables-init: new_routers=192.168.171.205
Sep 25 21:52:24 deb iptables-init: new_subnet_mask=255.255.255.0
Sep 25 21:52:24 deb iptables-init: old_broadcast_address=192.168.171.255
Sep 25 21:52:24 deb iptables-init: old_dhcp_lease_time=172800
Sep 25 21:52:24 deb iptables-init: old_dhcp_message_type=5
Sep 25 21:52:24 deb iptables-init: old_dhcp_server_identifier=192.168.171.205
Sep 25 21:52:24 deb iptables-init: old_domain_name=hsd1.tx.comcast.net.
Sep 25 21:52:24 deb iptables-init: old_domain_name_servers=64.7.11.2 63.240.76.198 204.127.199.8
Sep 25 21:52:24 deb iptables-init: old_expiry=1127769239
Sep 25 21:52:24 deb iptables-init: old_ip_address=192.168.171.220
Sep 25 21:52:24 deb iptables-init: old_network_number=192.168.171.0
Sep 25 21:52:24 deb iptables-init: old_routers=192.168.171.205
Sep 25 21:52:24 deb iptables-init: old_subnet_mask=255.255.255.0
Sep 25 21:52:24 deb iptables-init: reason=RENEW


Renew Failure Example

Tuesday, October 18, 2005
6:00 AM

Sep 27 21:52:25 deb iptables-init: /var/lib/iptables/dhclient : Interface eth0
Sep 27 21:52:25 deb iptables-init: PATH=/usr/ucb:/usr/bin:/usr/sbin:/bin:/sbin
Sep 27 21:52:25 deb iptables-init: PWD=/
Sep 27 21:52:25 deb iptables-init: SHLVL=2
Sep 27 21:52:25 deb iptables-init: _=/usr/bin/env
Sep 27 21:52:25 deb iptables-init: interface=eth0
Sep 27 21:52:25 deb iptables-init: old_broadcast_address=192.168.171.255
Sep 27 21:52:25 deb iptables-init: old_dhcp_lease_time=172800
Sep 27 21:52:25 deb iptables-init: old_dhcp_message_type=5
Sep 27 21:52:25 deb iptables-init: old_dhcp_server_identifier=192.168.171.205
Sep 27 21:52:25 deb iptables-init: old_domain_name=hsd1.tx.comcast.net.
Sep 27 21:52:25 deb iptables-init: old_domain_name_servers=64.7.11.2 63.240.76.198 204.127.199.8
Sep 27 21:52:25 deb iptables-init: old_expiry=1127875944
Sep 27 21:52:25 deb iptables-init: old_ip_address=192.168.171.220
Sep 27 21:52:25 deb iptables-init: old_network_number=192.168.171.0
Sep 27 21:52:25 deb iptables-init: old_routers=192.168.171.205
Sep 27 21:52:25 deb iptables-init: old_subnet_mask=255.255.255.0
Sep 27 21:52:25 deb iptables-init: reason=EXPIRE
Sep 27 21:52:25 deb iptables-init: /var/lib/iptables/dhclient : Interface eth0
Sep 27 21:52:25 deb iptables-init: PATH=/usr/ucb:/usr/bin:/usr/sbin:/bin:/sbin
Sep 27 21:52:25 deb iptables-init: PWD=/
Sep 27 21:52:25 deb iptables-init: SHLVL=2
Sep 27 21:52:25 deb iptables-init: _=/usr/bin/env
Sep 27 21:52:25 deb iptables-init: interface=eth0
Sep 27 21:52:25 deb iptables-init: reason=PREINIT
Sep 27 21:53:26 deb iptables-init: /var/lib/iptables/dhclient : Interface eth0
Sep 27 21:53:26 deb iptables-init: PATH=/usr/ucb:/usr/bin:/usr/sbin:/bin:/sbin
Sep 27 21:53:26 deb iptables-init: PWD=/
Sep 27 21:53:26 deb iptables-init: SHLVL=2
Sep 27 21:53:26 deb iptables-init: _=/usr/bin/env
Sep 27 21:53:26 deb iptables-init: interface=eth0
Sep 27 21:53:26 deb iptables-init: reason=FAIL


Renew Example #2

Tuesday, October 18, 2005
6:07 AM

Sep 20 21:26:53 deb iptables-init: /var/lib/iptables/dhclient : Interface eth0
Sep 20 21:26:53 deb iptables-init: PATH=/usr/ucb:/usr/bin:/usr/sbin:/bin:/sbin
Sep 20 21:26:53 deb iptables-init: PWD=/
Sep 20 21:26:53 deb iptables-init: SHLVL=2
Sep 20 21:26:53 deb iptables-init: _=/usr/bin/env
Sep 20 21:26:53 deb iptables-init: interface=eth0
Sep 20 21:26:53 deb iptables-init: old_broadcast_address=192.168.171.255
Sep 20 21:26:53 deb iptables-init: old_dhcp_lease_time=180
Sep 20 21:26:53 deb iptables-init: old_dhcp_message_type=5
Sep 20 21:26:53 deb iptables-init: old_dhcp_server_identifier=192.168.171.205
Sep 20 21:26:53 deb iptables-init: old_domain_name=hsd1.tx.comcast.net.
Sep 20 21:26:53 deb iptables-init: old_domain_name_servers=64.7.11.2 63.240.76.198 204.127.199.8
Sep 20 21:26:53 deb iptables-init: old_expiry=1127269612
Sep 20 21:26:53 deb iptables-init: old_ip_address=192.168.171.220
Sep 20 21:26:53 deb iptables-init: old_network_number=192.168.171.0
Sep 20 21:26:53 deb iptables-init: old_routers=192.168.171.205
Sep 20 21:26:53 deb iptables-init: old_subnet_mask=255.255.255.0
Sep 20 21:26:53 deb iptables-init: reason=EXPIRE
Sep 20 21:26:53 deb iptables-init: /var/lib/iptables/dhclient : Interface eth0
Sep 20 21:26:53 deb iptables-init: PATH=/usr/ucb:/usr/bin:/usr/sbin:/bin:/sbin
Sep 20 21:26:53 deb iptables-init: PWD=/
Sep 20 21:26:53 deb iptables-init: SHLVL=2
Sep 20 21:26:53 deb iptables-init: _=/usr/bin/env
Sep 20 21:26:53 deb iptables-init: interface=eth0
Sep 20 21:26:53 deb iptables-init: reason=PREINIT
Sep 20 21:26:55 deb iptables-init: /var/lib/iptables/dhclient : Interface eth0
Sep 20 21:26:55 deb iptables-init: PATH=/usr/ucb:/usr/bin:/usr/sbin:/bin:/sbin
Sep 20 21:26:55 deb iptables-init: PWD=/
Sep 20 21:26:55 deb iptables-init: SHLVL=2
Sep 20 21:26:55 deb iptables-init: _=/usr/bin/env
Sep 20 21:26:55 deb iptables-init: check_broadcast_address=192.168.171.255
Sep 20 21:26:55 deb iptables-init: check_dhcp_lease_time=172800
Sep 20 21:26:55 deb iptables-init: check_dhcp_message_type=2
Sep 20 21:26:55 deb iptables-init: check_dhcp_server_identifier=192.168.171.205
Sep 20 21:26:55 deb iptables-init: check_domain_name=hsd1.tx.comcast.net.
Sep 20 21:26:55 deb iptables-init: check_domain_name_servers=64.7.11.2 63.240.76.198 204.127.199.8
Sep 20 21:26:55 deb iptables-init: check_expiry=0
Sep 20 21:26:55 deb iptables-init: check_ip_address=192.168.171.222
Sep 20 21:26:55 deb iptables-init: check_network_number=192.168.171.0
Sep 20 21:26:55 deb iptables-init: check_routers=192.168.171.205
Sep 20 21:26:55 deb iptables-init: check_subnet_mask=255.255.255.0
Sep 20 21:26:55 deb iptables-init: interface=eth0
Sep 20 21:26:55 deb iptables-init: reason=ARPSEND
Sep 20 21:26:58 deb iptables-init: /var/lib/iptables/dhclient : Interface eth0
Sep 20 21:26:58 deb iptables-init: PATH=/usr/ucb:/usr/bin:/usr/sbin:/bin:/sbin
Sep 20 21:26:58 deb iptables-init: PWD=/
Sep 20 21:26:58 deb iptables-init: SHLVL=2
Sep 20 21:26:58 deb iptables-init: _=/usr/bin/env
Sep 20 21:26:58 deb iptables-init: check_broadcast_address=192.168.171.255
Sep 20 21:26:58 deb iptables-init: check_dhcp_lease_time=172800
Sep 20 21:26:58 deb iptables-init: check_dhcp_message_type=2
Sep 20 21:26:58 deb iptables-init: check_dhcp_server_identifier=192.168.171.205
Sep 20 21:26:58 deb iptables-init: check_domain_name=hsd1.tx.comcast.net.
Sep 20 21:26:58 deb iptables-init: check_domain_name_servers=64.7.11.2 63.240.76.198 204.127.199.8
Sep 20 21:26:58 deb iptables-init: check_expiry=0
Sep 20 21:26:58 deb iptables-init: check_ip_address=192.168.171.222
Sep 20 21:26:58 deb iptables-init: check_network_number=192.168.171.0
Sep 20 21:26:58 deb iptables-init: check_routers=192.168.171.205
Sep 20 21:26:58 deb iptables-init: check_subnet_mask=255.255.255.0
Sep 20 21:26:58 deb iptables-init: interface=eth0
Sep 20 21:26:58 deb iptables-init: reason=ARPCHECK
Sep 20 21:26:58 deb iptables-init: /var/lib/iptables/dhclient : Interface eth0
Sep 20 21:26:58 deb iptables-init: PATH=/usr/ucb:/usr/bin:/usr/sbin:/bin:/sbin
Sep 20 21:26:58 deb iptables-init: PWD=/
Sep 20 21:26:58 deb iptables-init: SHLVL=2
Sep 20 21:26:58 deb iptables-init: _=/usr/bin/env
Sep 20 21:26:58 deb iptables-init: interface=eth0
Sep 20 21:26:58 deb iptables-init: new_broadcast_address=192.168.171.255
Sep 20 21:26:58 deb iptables-init: new_dhcp_lease_time=172800
Sep 20 21:26:58 deb iptables-init: new_dhcp_message_type=5
Sep 20 21:26:58 deb iptables-init: new_dhcp_server_identifier=192.168.171.205
Sep 20 21:26:58 deb iptables-init: new_domain_name=hsd1.tx.comcast.net.
Sep 20 21:26:58 deb iptables-init: new_domain_name_servers=64.7.11.2 63.240.76.198 204.127.199.8
Sep 20 21:26:58 deb iptables-init: new_expiry=1127442418
Sep 20 21:26:58 deb iptables-init: new_ip_address=192.168.171.222
Sep 20 21:26:58 deb iptables-init: new_network_number=192.168.171.0
Sep 20 21:26:58 deb iptables-init: new_routers=192.168.171.205
Sep 20 21:26:58 deb iptables-init: new_subnet_mask=255.255.255.0
Sep 20 21:26:58 deb iptables-init: old_broadcast_address=192.168.171.255
Sep 20 21:26:58 deb iptables-init: old_dhcp_lease_time=180
Sep 20 21:26:58 deb iptables-init: old_dhcp_message_type=5
Sep 20 21:26:58 deb iptables-init: old_dhcp_server_identifier=192.168.171.205
Sep 20 21:26:58 deb iptables-init: old_domain_name=hsd1.tx.comcast.net.
Sep 20 21:26:58 deb iptables-init: old_domain_name_servers=64.7.11.2 63.240.76.198 204.127.199.8
Sep 20 21:26:58 deb iptables-init: old_expiry=1127269612
Sep 20 21:26:58 deb iptables-init: old_ip_address=192.168.171.220
Sep 20 21:26:58 deb iptables-init: old_network_number=192.168.171.0
Sep 20 21:26:58 deb iptables-init: old_routers=192.168.171.205
Sep 20 21:26:58 deb iptables-init: old_subnet_mask=255.255.255.0
Sep 20 21:26:58 deb iptables-init: reason=BOUND


Bad Idea For iptables Initialization

Wednesday, October 05, 2005
8:22 AM

Scripts could work like the rc9.d directories. Then a user or application could install new rules scripts on the fly and could even determine the sequencing of them.

/etc/default/iptables
config file

/var/lib/iptables/scripts
Location for all script files.
Logical links are used to place instances in each of the other directories.

/var/lib/iptables/db
Location for any db files (flat or otherwise) used by the interface scripts

/var/lib/iptables/start
Each script referenced here will be called during rc9.d/S* initialization

/var/lib/iptables/stop
Each script referenced here will be called during rc9.d/K* runlevel

/var/lib/iptables/[inside | outside | loopback | other ]
Each script referenced here will be called when either dhclient or ifup/down are called with an interface that is mapped to these directories in the config script.




Documentation

Wednesday, December 14, 2005
10:50 PM



Many of the scripts depend upon appending "-INPUT" and "-OUTPUT" to rule chains

The first goal is to provide a "default" set of scripts that correctly initialize iptables for both static and DHCP interfaces. DHCP causes some interesting situations (e.g. DHCP servers changing) that require special handling with iptables. The second goal is to give the user ultimate control over all aspects of interface initialization without needing to modify the base scripts.

There are three separate categories of rule scripts that are defined by the way the script is called. Initialization scripts are all called with start, stop, and restart parameters since these are called from /etc/rc?.d scripts. Interface scripts can be called either by the /etc/networking/if-*.d scripts or by the dhclient-*-hooks scripts. Typically only one of the methods is used to actually configure rules for a particular interface, however the scrips may be called by either or both of the subsystems. It is the responsibility of each configuration script to determine how it was called and act appropriately.


/etc/init.d/iptables.sh start|stop|restart|clear
/etc/default/iptables
/var/lib/iptables/INITIALIZE scripts start|stop|restart

/etc/networking/if-*.d/iptables-ifupdown.sh
Logical links to /var/lib/iptables/ifupdown.sh
/etc/default/iptables
/var/lib/iptables/IFACE scripts ifupdown

/etc/dhclient-*-hooks
/var/lib/iptables/dhclient.sh dhclient-exit
/etc/default/iptables
/var/lib/iptables/IFACE scripts dhclient-exit

Contributors to this page: michael .
Page last modified on Saturday 17 of October, 2009 23:40:44 CDT by michael.