In file /etc/init.d/iptables, scroll down to the stop() function. You'll see the line: /sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE} This looks harmless enough by itself, however take this scenario: An adminstrator uses "rc-update add iptables default", but doesn't get around to creating the iptables commands. That's OK - he'll get an error "Not starting iptables. First create some rules...etc" when it runs again. But then he reboots the PC. The line above saves the output of iptables-save to ${IPTABLES_SAVE}, regardless of it previously existing or not. Sure, this won't make any difference to the iptable setup, however the "Not starting iptables..." message has now vanished, leaving the forgetful administrator to assume that he already made the change. The seemingly easiest solution: In function stop() do: # This way we don't forget to save changes if [ -f ${IPTABLES_SAVE} ]; then /sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE} else einfo "You have not yet saved your iptables settings!" einfo "You need to run: '/etc/init.d/iptables save'" fi ...
Here's another problem in the iptables init-script... # ./iptables start * Loading iptables state and starting firewall... * Not starting iptables. First create some rules then run * /etc/init.d/iptables save [ ok ] # ./iptables start * WARNING: "iptables" has already been started. The problem here is that it should be recognizing that the first time it didn't start successfully.
Updated.