在桥上设置防火墙时的困惑

我在制定 IPTABLE 规则时遇到一些困惑。

auto lo
iface lo inet loopback

# The primary network interface
auto eth2
iface eth2 inet manual

auto br0
iface br0 inet static
        address 192.168.1.17
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.100.255
        gateway 192.168.100.100
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 192.168.103.2
        dns-search mydomain.com
        bridge_ports eth2
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

以上是我的桥接配置，我应该把 pre-up iptables-restore 行放在上面的哪里。