Follow

Endian's startup scripts with inithooks

Applies to platform: all
Last updated: 23rd August 2013

There are situations in which you may want to add your own custom scripts for specific purposes. There are two ways, both implemented by adding files to /var/efw/inithooks/. Those files are start.local and rc.firewall.local respectively and they will not be changed by any future upgrade in order to keep your customization as is.

start.local

This file will be the last configuration Endian UTM Appliance will read and apply to your system in the boot process, in order for your customization to take effect. Since this is a BASH script, start.local file must have #!/bin/bash in the very first line. This is a special marking and will specify to the system that in order to execute all the present script code it has to use the (interpreter) binary bash available in /bin directory.

 

After adding your code in this file, set the permissions accordingly by executing the following command:

root@endian:~ # chmod 755 /var/efw/inithooks/start.local

Once the permissions are set you can also trigger the script by calling it with full path:

root@endian:~ # /var/efw/inithooks/start.local

 

start.local file does not exist by default so you will have to create it with an editor like nano or vi and add your code.

root@endian:~ # nano /var/efw/inithooks/start.local

#!/bin/bash

# Add your code here

 

exit 0

rc.firewall.local

As the name states, this file will further apply your customized configuration. This is useful when you need certain iptables rules to always be added after reboot and make the customization permanent. By adding rules to this file you can make your Endian UTM Appliance read the configuration and apply it for you by using iptables. This file won't be later changed by any other service.

Warning

It is strongly recommended that any custom rules be added to the CUSTOM chains e.g. for a SNAT rule add rules to NAT table chain: CUSTOMPOSTROUTING. The CUSTOM chains indeed do not interfere with the scripts and are never flushed, so the user is guaranteed that they are always working.

 You can use the following code in order to apply your rules for start/stop and reload actions by editing the rc.firewall.local with nano or vi:

root@endian:~ # nano /var/efw/inithooks/rc.firewall.local

#!/bin/bash
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
;;
stop)
## add your 'stop' rules here
;;
reload)
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|reload|stop}"
esac

Note

It is not necessary that the rc.firewall.local file contains the start), stop) or reload) functions, it can be a simple file like start.local.

Like startup.local, you have to apply the correct permissions:

root@endian:~ # chmod 755 /var/efw/inithooks/rc.firewall.local
Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    kikilinux

    Hi

    thank you for your document.

    I executed these instruction step by step but after i execute the start.local that i created and reboot the endian firewall the rule is flushed when the system is started.

    what is the problem ?

    best

  • Avatar
    Technical Support

    hi,

        are you using CUSTOM prefixed chains? most probably you are writing to a chain that is overwritten/flushed by the management scripts for firewall (e.g. you first write at startup but then some time after, 1 hour or whatever, you add another rule or a service is restarted that requires the firewall to be rewritten)

        try to use the CUSTOM prefixed chains for your rules and should be stable now

     

    hope it helps,

    cheers

  • Avatar
    Joao Correa

    This model initialization is running in Endian 3?

    I made a path of putting a script in start.local file with all the correct permissions test, but the script is not initialized in the boot.

  • Avatar
    kikilinux

    Dear Admin, I tested the second method and it worked.

    I thought the file name is not important and just the file directory ( ~/inithooks/ ) is important but when i tested by the exact name it worked.

    best regards.