On 10/03/2013 04:28 PM, Kerin Millar wrote: > > The iptables runscript is ideal for persisting the rules. However, > during the initial construction of a non-trivial ruleset, I prefer to > write a script that adds the rules. An elegant way of doing this is to > use iptables-restore with a heredoc. The method - and its advantages - > are described in this document (section 3): > > http://inai.de/documents/Perfect_Ruleset.pdf >
This advice is dubious in my opinion. The `iptables` command line is the published interface to iptables. The iptables-restore syntax is an implementation detail, subject to change at any time. Here are his arguments: 1. Calling iptables repeatedly is slow. Who cares? How often do you invoke the script? Once or twice a year when you change it. 2. There is an opportunity for someone to bypass the rules between dropping/recreating them. Again, you run the script once or twice a year. Turn off the interface beforehand if a few microseconds per year is too long to run without a firewall. And my counterarguments: 1. The iptables-restore syntax is uglier and harder to read. 2. You get better error reporting calling iptables repeatedly. 3. The published interface will never change; iptables-restore reads an input language whose specification is "whatever iptables-save outputs." 4. A bash script is far more standard and less confusing to your coworkers. 5. You can't script iptables-restore! What if you want to call sed, cut, or grep on something and pass that to iptables? You can write a bash script that writes an iptables-restore script to accomplish the same thing, but how much complexity are you willing to add for next to no benefit?