I had two MWG7s configured as "simple" proxy. My Network Protection rules where set to allow traffic on internal eth and drop everything else
This config was working but when I enable Proxy HA then VRRP fails. There is no option to select VRRP protocol in Network Protection config (just TCP or UDP). I would be able to do it using iptables - but how to make this configuration persistent ?
if you want to use "custom" iptables rules and make them persistent, you will need to manually add them. After you logged on via SSH, put your rules into /etc/init.d/iptables. If you look into that file you will find a start() function. I would try to put the custom rules on top of:
After a restart the rules should be there. There are a few things to notice:
- Be careful and test your changes on a VM if possible. Mistakes in the startup scripts may cause the appliance to become stuck while booting and recovery won´t be too easy
- This kind of modification is not supported
- Updates of the OS may cause the changes to be wiped out, since the startup scripts are not migrated during an update
- Please ensure you file a service request to get an official solution
All changes to /etc/init.d/iptables will be silently discarded when iptables package is updated.
If you want to make those changes truly persistent I'd recommend to edit /etc/sysconfig/iptables directly (e.g. add the line "-A INPUT -p 112 -j ACCEPT").
In order to protect your changes from being overwritten by MWG you can make the config file immutable:
# chattr +i /etc/sysconfig/iptables
Changes to Network Protection via UI will not be applied to the configuration file after this! To make the config file writeable again use
# chattr -i /etc/sysconfig/iptables.