Re: [gentoo-user] Where to put advanced routing configuration?
On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky mich...@orlitzky.com wrote: 1. The iptables-restore syntax is uglier and harder to read. I don't get this - the syntax is *chain and then :tables (with optional counters) instead of -N, and then a bunch of rules, and then a COMMIT command (the only thing you don't get on the command line. What am I missing or how is this uglier?
Re: [gentoo-user] Where to put advanced routing configuration?
On 10/13/2013 06:26 AM, shawn wilson wrote: On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky mich...@orlitzky.com wrote: 1. The iptables-restore syntax is uglier and harder to read. I don't get this - the syntax is *chain and then :tables (with optional counters) instead of -N, and then a bunch of rules, and then a COMMIT command (the only thing you don't get on the command line. What am I missing or how is this uglier? That's not the syntax, because there is no syntax, but let's forget that point anyway because it's subjective.
Re: [gentoo-user] Where to put advanced routing configuration?
On 10/03/2013 08:27 PM, Grant Edwards wrote: Let's say you wanted to configure routing of TCP packets based on destination port like in this example: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html [which contains a series of 'ip' and 'iptables' commands to get packets destined for port 25 to use a specific gateway.] How do do this the right way on a Gentoo system? Based on reading http://www.gentoo.org/doc/en/home-router-howto.xml, I think I've figured out how to do the iptables part: you enter the 'iptables' commands by hand to get the iptables set up the way you want, then you do this: # /etc/init.d/iptables save # rc-update add iptables default What about the 'ip' commands required to set up the tables, routes, and rules? Do those go in a startup script somewhere? Does one just edit /etc/iproute2/rt_tables by hand? One would assume route configuration belongs in /etc/conf.d/net -- I've read through the advanced networking stuff in the handbook, but it's not apparent to me where those 'ip' command belong. in /etc/conf.d/net just add the following (adjust as appropriate) rules_eth1=( from all to 8.8.8.8/24 lookup 101 )
Re: [gentoo-user] Where to put advanced routing configuration?
On 10/03/2013 04:28 PM, Kerin Millar wrote: The iptables runscript is ideal for persisting the rules. However, during the initial construction of a non-trivial ruleset, I prefer to write a script that adds the rules. An elegant way of doing this is to use iptables-restore with a heredoc. The method - and its advantages - are described in this document (section 3): http://inai.de/documents/Perfect_Ruleset.pdf This advice is dubious in my opinion. The `iptables` command line is the published interface to iptables. The iptables-restore syntax is an implementation detail, subject to change at any time. Here are his arguments: 1. Calling iptables repeatedly is slow. Who cares? How often do you invoke the script? Once or twice a year when you change it. 2. There is an opportunity for someone to bypass the rules between dropping/recreating them. Again, you run the script once or twice a year. Turn off the interface beforehand if a few microseconds per year is too long to run without a firewall. And my counterarguments: 1. The iptables-restore syntax is uglier and harder to read. 2. You get better error reporting calling iptables repeatedly. 3. The published interface will never change; iptables-restore reads an input language whose specification is whatever iptables-save outputs. 4. A bash script is far more standard and less confusing to your coworkers. 5. You can't script iptables-restore! What if you want to call sed, cut, or grep on something and pass that to iptables? You can write a bash script that writes an iptables-restore script to accomplish the same thing, but how much complexity are you willing to add for next to no benefit?
Re: [gentoo-user] Where to put advanced routing configuration?
On Fri, 04 Oct 2013 17:58:14 -0400 Michael Orlitzky mich...@orlitzky.com wrote: On 10/03/2013 04:28 PM, Kerin Millar wrote: The iptables runscript is ideal for persisting the rules. However, during the initial construction of a non-trivial ruleset, I prefer to write a script that adds the rules. An elegant way of doing this is to use iptables-restore with a heredoc. The method - and its advantages - are described in this document (section 3): http://inai.de/documents/Perfect_Ruleset.pdf This advice is dubious in my opinion. The `iptables` command line is the published interface to iptables. The iptables-restore syntax is an implementation detail, subject to change at any time. Here are his arguments: 1. Calling iptables repeatedly is slow. Who cares? How often do you invoke the script? Once or twice a year when you change it. 2. There is an opportunity for someone to bypass the rules between dropping/recreating them. Again, you run the script once or twice a year. Turn off the interface beforehand if a few microseconds per year is too long to run without a firewall. And my counterarguments: 1. The iptables-restore syntax is uglier and harder to read. 2. You get better error reporting calling iptables repeatedly. 3. The published interface will never change; iptables-restore reads an input language whose specification is whatever iptables-save outputs. 4. A bash script is far more standard and less confusing to your coworkers. 5. You can't script iptables-restore! What if you want to call sed, cut, or grep on something and pass that to iptables? You can write a bash script that writes an iptables-restore script to accomplish the same thing, but how much complexity are you willing to add for next to no benefit? Hi, Many people use netfilter for busy firewalls not just for set and forget firewalls. Having hundreds or thousands of rules and IPs makes managing netfilter with iptables problematic. That is when it's advisable to change the filter in one swoop with restore or ipset. Bottom line is your individual use case is just that, individual.
[gentoo-user] Where to put advanced routing configuration?
Let's say you wanted to configure routing of TCP packets based on destination port like in this example: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html [which contains a series of 'ip' and 'iptables' commands to get packets destined for port 25 to use a specific gateway.] How do do this the right way on a Gentoo system? Based on reading http://www.gentoo.org/doc/en/home-router-howto.xml, I think I've figured out how to do the iptables part: you enter the 'iptables' commands by hand to get the iptables set up the way you want, then you do this: # /etc/init.d/iptables save # rc-update add iptables default What about the 'ip' commands required to set up the tables, routes, and rules? Do those go in a startup script somewhere? Does one just edit /etc/iproute2/rt_tables by hand? One would assume route configuration belongs in /etc/conf.d/net -- I've read through the advanced networking stuff in the handbook, but it's not apparent to me where those 'ip' command belong. -- Grant
Re: [gentoo-user] Where to put advanced routing configuration?
On 03/10/2013 20:27, Grant Edwards wrote: Let's say you wanted to configure routing of TCP packets based on destination port like in this example: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html [which contains a series of 'ip' and 'iptables' commands to get packets destined for port 25 to use a specific gateway.] How do do this the right way on a Gentoo system? Based on reading http://www.gentoo.org/doc/en/home-router-howto.xml, I think I've figured out how to do the iptables part: you enter the 'iptables' commands by hand to get the iptables set up the way you want, then you do this: # /etc/init.d/iptables save # rc-update add iptables default The iptables runscript is ideal for persisting the rules. However, during the initial construction of a non-trivial ruleset, I prefer to write a script that adds the rules. An elegant way of doing this is to use iptables-restore with a heredoc. The method - and its advantages - are described in this document (section 3): http://inai.de/documents/Perfect_Ruleset.pdf What about the 'ip' commands required to set up the tables, routes, and rules? Do those go in a startup script somewhere? Does one just edit /etc/iproute2/rt_tables by hand? One would assume route configuration belongs I would use the files under /etc/iproute2 for their intended purpose and a postup() hook in conf.d/net for anything else. When the postup() function is entered, the IFACE variable is automatically set to the name of the interface that triggered the event. Anything that is valid bash can go there. in /etc/conf.d/net -- I've read through the advanced networking stuff in the handbook, but it's not apparent to me where those 'ip' command belong.