| 1 |
On Oct 13, 2013 9:15 PM, "Michael Orlitzky" <michael@××××××××.com> wrote: |
| 2 |
> |
| 3 |
> On 10/13/2013 06:08 AM, Martin Vaeth wrote: |
| 4 |
> >>> 5. You can't script iptables-restore! |
| 5 |
> >> |
| 6 |
> >> Well, actually you can script iptables-restore. |
| 7 |
> > |
| 8 |
> > For those who are interested: |
| 9 |
> > net-firewall/firewall-mv from the mv overlay |
| 10 |
> > (available over layman) now provides a separate |
| 11 |
> > firewall-scripted.sh |
| 12 |
> > which can be conveniently used for such scripting. |
| 13 |
> > |
| 14 |
> |
| 15 |
> You snipped the rest of my point =) |
| 16 |
> |
| 17 |
> > You can write a bash script that writes an iptables-restore script to |
| 18 |
> > accomplish the same thing, but how much complexity are you willing to |
| 19 |
> > add for next to no benefit? |
| 20 |
> |
| 21 |
> If you have a million rules and you need to wipe/reload them all |
| 22 |
> frequently you're probably doing something wrong to begin with. |
| 23 |
> |
| 24 |
> With bash, you can leverage all of the features of bash that everybody |
| 25 |
> already knows. You can read files, call shell commands, pipe between |
| 26 |
> them, etc. You can write bash functions to avoid repetitive commands. |
| 27 |
> You can write inline comments to explain what the rules do. |
| 28 |
> |
| 29 |
> Something like, |
| 30 |
> |
| 31 |
> # A function which sets up a static mapping between an external IP |
| 32 |
> # address and an internal one. |
| 33 |
> # |
| 34 |
> # USAGE: static_nat <internal ip> <external ip> |
| 35 |
> # |
| 36 |
> function static_nat() { |
| 37 |
> iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" |
| 38 |
> iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" |
| 39 |
> } |
| 40 |
> |
| 41 |
> can make your iptables script a lot cleaner, and it conveys your intent |
| 42 |
> better when the rule is created: |
| 43 |
> |
| 44 |
> # Danny likes to torrent "linux isos" at work so he needs a public ip |
| 45 |
> static_nat 192.168.1.x 1.2.3.x |
| 46 |
> |
| 47 |
> I'm not saying you can't do all of this with iptables-restore, just that |
| 48 |
> you're punishing yourself for little benefit if you do. |
| 49 |
> |
| 50 |
|
| 51 |
One benefit of being familiar with iptables-save and iptables-restore : you |
| 52 |
can use iptables-apply. |
| 53 |
|
| 54 |
Might save your sanity if you fat-fingered your iptables rule. |
| 55 |
|
| 56 |
Just do `iptables-apply -t 180 <( preprocessor.sh new-rules.conf)`. Changes |
| 57 |
are done atomically. After 180 seconds, if you don't indicate to |
| 58 |
iptables-apply that the changes are proper, it atomically reverts the whole |
| 59 |
netfilter tables. |
| 60 |
|
| 61 |
bash scripts are powerful, but there might be unexpected cases that render |
| 62 |
the netfilter tables to be wildly different from what you actually want. |
| 63 |
|
| 64 |
The file format used by iptables-{save,restore,apply} is more like a |
| 65 |
domain-specific language; less chance of partial mistakes. And it's atomic: |
| 66 |
Either everything gets applied, or none gets applied (without clobbering |
| 67 |
existing in-effect rules). |
| 68 |
|
| 69 |
Rgds, |
| 70 |
-- |
Archives