seanho00
commented
4 years ago RoutingPolicyRule as of systemd 235
(This only affects routing, not firewall.)
Closed seanho00 closed 4 years ago
seanho00
commented
4 years ago RoutingPolicyRule as of systemd 235
(This only affects routing, not firewall.)
seanho00
commented
4 years ago Amend systemd unit file for a service by adding ExecStart* entries to /etc/systemd/system/mysvc.service.d/*.conf, e.g.,
[Service]
ExecStartPost=/usr/sbin/iptables -A MYSVC ...
ExecStopPost=/usr/sbin/iptables -A MYSVC ...Also, add managed rules to a dedicated iptables chain, which is then enabled with a single rule in the main INPUT chain, and can be separately flushed.
seanho00
commented
4 years ago
It is cleaner to tear down the firewall rules whenever the VPN is brought down. So instead of directly modifying iptables (using ansible's iptables module), use commands in the systemd *.service file to add and delete firewall rules.