Own firewall and policy routing on PMG

[andreisrr]

I am testing PMG for deployment into an environmentthat has some restrictions that would require firewall rules and policy routing rules on the PMG itself (not having an upstream firewall, administration interface restricted to given IPs, also via VPN that is routed through a different router then the subnet default gateway).

On a generic Linux machine these are simply acomplished with

iptables

and

ip

utilities.
Basic intuition is to create a script with the necessary commands and have it run at startup. Something like a

/etc/rc.local

.

Having little experience on Debian family distributions and PMG being a significantly modified Debian derivative, what would be the best way of acomplishing this?

 

[Stoiko Ivanov]

PMG is based on Debian as you correctly pointed out - the only thing that might be of interest in this case is that it ships `ifupdown2` instead of ifupdown for network interface configuration - but else I currently don't see anything in PMG that would prevent you from doing this.
(Of course I might overlook something - but then just reply and we'll see how/if this can be repaired)

If you create this as a new service I'd strongly suggest to go with `nftables` for NAT/packet filtering, and using a proper systemd-service file instead of /etc/rc.local

I hope this helps!