Re: [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?)
On Oct 13, 2013 5:09 PM, "Martin Vaeth" wrote: > > >> 5. You can't script iptables-restore! > > > > Well, actually you can script iptables-restore. > > For those who are interested: > net-firewall/firewall-mv from the mv overlay > (available over layman) now provides a separate > firewall-scripted.sh > which can be conveniently used for such scripting. > Thanks, Martin! I was about to create my own preprocessor, but I'll check out yours first. If it's what I had planned, may I contribute, too? Rgds, --
Re: [gentoo-user] scripted iptables-restore
On Oct 13, 2013 9:15 PM, "Michael Orlitzky" wrote:
>
> On 10/13/2013 06:08 AM, Martin Vaeth wrote:
> >>> 5. You can't script iptables-restore!
> >>
> >> Well, actually you can script iptables-restore.
> >
> > For those who are interested:
> > net-firewall/firewall-mv from the mv overlay
> > (available over layman) now provides a separate
> > firewall-scripted.sh
> > which can be conveniently used for such scripting.
> >
>
> You snipped the rest of my point =)
>
> > You can write a bash script that writes an iptables-restore script to
> > accomplish the same thing, but how much complexity are you willing to
> > add for next to no benefit?
>
> If you have a million rules and you need to wipe/reload them all
> frequently you're probably doing something wrong to begin with.
>
> With bash, you can leverage all of the features of bash that everybody
> already knows. You can read files, call shell commands, pipe between
> them, etc. You can write bash functions to avoid repetitive commands.
> You can write inline comments to explain what the rules do.
>
> Something like,
>
> # A function which sets up a static mapping between an external IP
> # address and an internal one.
> #
> # USAGE: static_nat
> #
> function static_nat() {
> iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}"
> iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}"
> }
>
> can make your iptables script a lot cleaner, and it conveys your intent
> better when the rule is created:
>
> # Danny likes to torrent "linux isos" at work so he needs a public ip
> static_nat 192.168.1.x 1.2.3.x
>
> I'm not saying you can't do all of this with iptables-restore, just that
> you're punishing yourself for little benefit if you do.
>
One benefit of being familiar with iptables-save and iptables-restore : you
can use iptables-apply.
Might save your sanity if you fat-fingered your iptables rule.
Just do `iptables-apply -t 180 <( preprocessor.sh new-rules.conf)`. Changes
are done atomically. After 180 seconds, if you don't indicate to
iptables-apply that the changes are proper, it atomically reverts the whole
netfilter tables.
bash scripts are powerful, but there might be unexpected cases that render
the netfilter tables to be wildly different from what you actually want.
The file format used by iptables-{save,restore,apply} is more like a
domain-specific language; less chance of partial mistakes. And it's atomic:
Either everything gets applied, or none gets applied (without clobbering
existing in-effect rules).
Rgds,
--
Re: [gentoo-user] scripted iptables-restore
On 10/13/2013 06:08 AM, Martin Vaeth wrote:
>>> 5. You can't script iptables-restore!
>>
>> Well, actually you can script iptables-restore.
>
> For those who are interested:
> net-firewall/firewall-mv from the mv overlay
> (available over layman) now provides a separate
> firewall-scripted.sh
> which can be conveniently used for such scripting.
>
You snipped the rest of my point =)
> You can write a bash script that writes an iptables-restore script to
> accomplish the same thing, but how much complexity are you willing to
> add for next to no benefit?
If you have a million rules and you need to wipe/reload them all
frequently you're probably doing something wrong to begin with.
With bash, you can leverage all of the features of bash that everybody
already knows. You can read files, call shell commands, pipe between
them, etc. You can write bash functions to avoid repetitive commands.
You can write inline comments to explain what the rules do.
Something like,
# A function which sets up a static mapping between an external IP
# address and an internal one.
#
# USAGE: static_nat
#
function static_nat() {
iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}"
iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}"
}
can make your iptables script a lot cleaner, and it conveys your intent
better when the rule is created:
# Danny likes to torrent "linux isos" at work so he needs a public ip
static_nat 192.168.1.x 1.2.3.x
I'm not saying you can't do all of this with iptables-restore, just that
you're punishing yourself for little benefit if you do.
[gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?)
>> 5. You can't script iptables-restore! > > Well, actually you can script iptables-restore. For those who are interested: net-firewall/firewall-mv from the mv overlay (available over layman) now provides a separate firewall-scripted.sh which can be conveniently used for such scripting.
