how uncover what start iptables?
Zdenek Pytela
pytela at phil.muni.cz
Mon Sep 17 07:18:13 UTC 2012
Frantisek Hanzlik pise:
> > Try if
> > grep -r Requires=iptables.service /lib/systemd
> > can be of any help to you.
>
> In /lib/systemd/ and /etc/systemd/ no service requires iptables.
> ("grep -r 'iptables\.service' /lib/systemd/* /etc/systemd/*" return
> nothing)
There is an inverse way as well, in iptables there are some WantedBy=
lines, follow them and they may lead you to the right source.
Unfortunately another way of start scripts invocation are through dbus.
You may also install graphviz and try
systemctl dot|dot -Tsvg > systemd.svg
but at my system the output look too complicated to find something.
> >> Second question about iptables: Is there any replacement for
> >> "service iptables panic" command from old gold cheerful non-systemd days?
> > Check /lib/systemd/system/iptables.service, you still may try
> > /lib/systemd/system/iptables.service panic
>
> Although "/lib/systemd/system/iptables.service" has mode 0755, I think
> this is only packager mistake - systemd units IMO surely aren't
> executable scripts. But You perhaps meant "/usr/libexec/iptables.init"
> script (which seems identical with original "/etc/rc.d/init.d/" one.
> And yes, "/usr/libexec/iptables.init panic" works as before.
You're right, sorry for the misclick.
> But pre-systemd location and use know all, this new none :(
Bash script/alias is a solution, isn't?
> > You can also prepare two sets of iptables with the default be ACCEPT
> > and then switch between them with a simple command with flushing/renaming/adding
> > a chain.
>
> Yes, it is solution too; but I would like know when it has been solved
> someway when this service was transferred to systemd.
I don't really understand what you want to achieve, but this
solution I have found as the most suitable - you will still have default
iptables running and accepting what is very close to not running them,
and when you want to restrict network rules, you just switch to another
ruleset instead of starting.
--
--Zdenek Pytela, <pytela at phil.muni.cz>
More information about the users
mailing list