On Wed, Aug 23, 2006 at 11:51:23AM +1000, Mary Gardiner wrote: > Is there a canonical way of writing interface specific iptables scripts? > > At the moment, I'm trying to write a couple of scripts with this > behaviour to put in /etc/network/if[action].d/: > - when lo comes up, add an iptables rule > - when lo comes down, delete that same iptables rule > > Other rules, ideally, would not be touched by that. > > The trouble is that iptables doesn't seem to have great support for this > automated rule-specific kind of operation. Individual rules can be > deleted with -D, but only if you know the rule number which, as far as I > can tell, you work out by running 'iptables -L' and counting the rules > from the top of the chain. I had something similiar to this, I kept a directory of all the current iptables rules and then converted into input for iptables-save iptables-restore, which batch loads the tables (hence much faster than flushing and readding your rules one by one), this gets rid of the need to delete specific rows. I believe also that the batch load is atomic!
Alex > > So are people doing this kind of interface specific iptables rules, and > if so, how are you doing it? Is there a blessed way, or just a bunch of > ways? > > -Mary > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html >
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
