-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07-Jul-2002/00:40 -0400, "Joseph R . Erlewein" <[EMAIL PROTECTED]> wrote:
>* a word of caution *
>
>It looks like you're attempting to edit the iptables file in /etc/sysconfig.
>
>I wouldn't do this. This file is created every time you execute:
>
>/etc/rc.d/init.d/iptables save
That command is executed whenever the iptables service is stopped or
restarted using:
service iptables stop|restart
or
/etc/rc.d/init.d/iptables stop|restart
>when you do a "restore" instead of a save, this ruleset is loaded.
That happens when the iptables service is started or restarted.
>Since you're just learning about iptables, editing this file is NOT the
>best approach - I would start by using a simple script that sets things
>how you need it using the iptables command line directive, and get your
>ruleset how you want it. Then, I would issue the save directive, reboot,
>and see how things come up.
I have a shell script that consists of some setup stuff and a series of
ipchains commands, ending with 'service iphains save'. So every time I
make a change and run the script, my settings are both implemented and
saved. The script includes lots of comments and is designed to be easily
maintainable. I don't even look at /etc/sysconfig/ipchains.
The script lets me do things like use grep and cut to parse resolv.conf
for nameserver IP addresses, put them in a list:
dnslist=`grep '^nameserver' /etc/resolv.conf | cut -f 2 -d ' '`
Then I use a loop to allow DNS connections to the IP addresses in the
list:
for dns in $dnslist
do
ipchains --append input --interface $ext --protocol udp \
--source $dns domain --destination-port 1024: --jump ACCEPT
ipchains --append input --interface $ext --protocol tcp \
--source $dns domain --destination-port 1024: --jump ACCEPT
done
So whenever I change resolv.conf, I just run the firewall script and the
rules are updated and saved. I have commands that use ifconfig and ipcalc
to get the IP address, network, and netmask for my LAN interface and set a
$lan variable that makes it easy to specify the LAN as a source or
destination. If I change my LAN numbering scheme the script will picj it
up automatically. All I have to do is set a variable that tells it whcih
interface is internal and which is external.
I realize you're using iptables, but the same methods could be used to
simplify your firewall maintenance.
Tony
- --
Anthony E. Greene <mailto:[EMAIL PROTECTED]>
OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D
AOL/Yahoo Messenger: TonyG05 HomePage: <http://www.pobox.com/~agreene/>
Linux. The choice of a GNU generation <http://www.linux.org/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Anthony E. Greene <mailto:[EMAIL PROTECTED]> 0x6C94239D
iD8DBQE9KNtrpCpg3WyUI50RAh3IAKDfUMo1gm6ZuXzXSP0i+2Zz+IHZ0gCZAb69
Ce3MtvhvXbVVFCbQPil/Nfc=
=b5tY
-----END PGP SIGNATURE-----
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
