On 14/10/13 04:07, Martin Vaeth wrote: > Michael Orlitzky <[email protected]> wrote: >>>> [...] >>>> If you have a million rules and you need to wipe/reload them all >>>> frequently you're probably doing something wrong to begin with. >>> >>> I don't know how this is related with the discussion. >>> The main advantage of using iptables-restore is avoidance of >>> race conditions. A secondary advantage is a speed improvement; >>> in my case, the machine boots about 2 seconds faster which can >>> be a considerable advantage if you start virtual machines. >>> >> >> I was just reiterating that there's not much benefit to save/restore if >> you're doing things properly (pontification alert!). > > For a laptop of a scientist like me this is not true at all - it must > often be connected in a different environment with different > local nets etc. > Also for other things (like portknocking using the recent module) > you need rather complex rules which are better rewritten by a script, > especially if the length of a portknocking sequence changes. > Like passwords, these sequences should better not stay the same for > too long... >
... If you are going to go to this bother ... why not use shorewall, create a custom configuration for each site (including any changes to services) and and have your script just copy them in and restart the various services including shorewall? I have a number of networks from hotspots to places where I need combinations of vpns, web servers and asterisk available for demonstrations in lecture theatres through to travelling and using hotel networks. The iptables save feature gets a bit difficult to use with complex setups and if you are doing something dynamic with the rules (fail2ban for instance) it can save inappropriate rules which need manual culling. I use a simple script with autosetup using network-manager (yuk, horrible thing!) to detect known gateways and trigger the script with that argument for either wifi or cable as appropriate (or setup for anonymous hotspot for unknown wifi, basic dhcp if unknown cable) - this is on a macbook air if that matters. BillK
