services-start or firewall-start for iptables scripts?

[Jack Yaz]

As above!

 

[thelonelycoder]

I'd say firewall start, then if the service restarts for some reason, your script runs as well.

 

[Jack Yaz]

I'd say firewall start, then if the service restarts for some reason, your script runs as well.

That was my thinking, but I had better luck with ya-malware and iBlocklists in service-start, for some reason firewall start caused them to never finish running.

 

[thelonelycoder]

That was my thinking, but I had better luck with ya-malware and iBlocklists in service-start, for some reason firewall start caused them to never finish running.

Then find the reason why.
This is a service activated user script and related scripts belong in that file.

Just as post-mount is the only one to place scripts that depend on the USB device(s) being mounted when it runs.
I'm sure you read the wiki: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

 

[Jack Yaz]

Then find the reason why.
This is a service activated user script and related scripts belong in that file.

Just as post-mount is the only one to place scripts that depend on the USB device(s) being mounted when it runs.
I'm sure you read the wiki: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Yes read the wiki, I've even contributed on it ;-)

I did some debugging a while back and so couldn't resolve, so went with what worked. Tbh I've changed scripts around since then, I could probably revisit it.

 

[RMerlin]

services-start is only run once at boot time, so anything that can be changed later on such as the firewall shouldn't be manipulated there.

firewall-start (filter) and nat-start (mangle/nat) are the places to put anything involving iptables.

 

[Jack Yaz]

I think I remember why, the blocking scripts don't look to clean themselves i.e. it'd add duplicated rules

 

[Jack Yaz]

I've since reviewed the scripts and they do now clean up, so moved to firewall-start, and rebooted, and hey presto!

 

[FreshJR]

As you already found out it had to be firewall-start.

QOS wipes all rules and starts a clean slate.

 

[Vexira]

As you already found out it had to be firewall-start.

QOS wipes all rules and starts a clean slate.

that esplains why the ip tables sript i tried to make didnt work.

 

[redhat27]

I've since reviewed the scripts and they do now clean up, so moved to firewall-start, and rebooted, and hey presto!

@Jack Yaz I use the firewall-start to re-instate the iptable rules if the ipsets already exists, and the setup that is posted in #1 post of ya-malware-block. I have no issues when firewall is re-started multiple times.

Also @FreshJR and @Vexira Take a note of the reinstatement snippet (in the wiki under a different heading) You should ideally not use the wildcard rule, and make a case for the ipsets that you use, to re-instate the iptables rule when the firewall restarts.