Closed seanho00 closed 4 years ago
RoutingPolicyRule as of systemd 235
(This only affects routing, not firewall.)
Amend systemd unit file for a service by adding ExecStart*
entries to /etc/systemd/system/mysvc.service.d/*.conf
, e.g.,
[Service]
ExecStartPost=/usr/sbin/iptables -A MYSVC ...
ExecStopPost=/usr/sbin/iptables -A MYSVC ...
Also, add managed rules to a dedicated iptables chain, which is then enabled with a single rule in the main INPUT chain, and can be separately flushed.
It is cleaner to tear down the firewall rules whenever the VPN is brought down. So instead of directly modifying iptables (using ansible's iptables module), use commands in the systemd *.service file to add and delete firewall rules.