1 |
On Oct 13, 2013 9:15 PM, "Michael Orlitzky" <michael@××××××××.com> wrote: |
2 |
> |
3 |
> On 10/13/2013 06:08 AM, Martin Vaeth wrote: |
4 |
> >>> 5. You can't script iptables-restore! |
5 |
> >> |
6 |
> >> Well, actually you can script iptables-restore. |
7 |
> > |
8 |
> > For those who are interested: |
9 |
> > net-firewall/firewall-mv from the mv overlay |
10 |
> > (available over layman) now provides a separate |
11 |
> > firewall-scripted.sh |
12 |
> > which can be conveniently used for such scripting. |
13 |
> > |
14 |
> |
15 |
> You snipped the rest of my point =) |
16 |
> |
17 |
> > You can write a bash script that writes an iptables-restore script to |
18 |
> > accomplish the same thing, but how much complexity are you willing to |
19 |
> > add for next to no benefit? |
20 |
> |
21 |
> If you have a million rules and you need to wipe/reload them all |
22 |
> frequently you're probably doing something wrong to begin with. |
23 |
> |
24 |
> With bash, you can leverage all of the features of bash that everybody |
25 |
> already knows. You can read files, call shell commands, pipe between |
26 |
> them, etc. You can write bash functions to avoid repetitive commands. |
27 |
> You can write inline comments to explain what the rules do. |
28 |
> |
29 |
> Something like, |
30 |
> |
31 |
> # A function which sets up a static mapping between an external IP |
32 |
> # address and an internal one. |
33 |
> # |
34 |
> # USAGE: static_nat <internal ip> <external ip> |
35 |
> # |
36 |
> function static_nat() { |
37 |
> iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" |
38 |
> iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" |
39 |
> } |
40 |
> |
41 |
> can make your iptables script a lot cleaner, and it conveys your intent |
42 |
> better when the rule is created: |
43 |
> |
44 |
> # Danny likes to torrent "linux isos" at work so he needs a public ip |
45 |
> static_nat 192.168.1.x 1.2.3.x |
46 |
> |
47 |
> I'm not saying you can't do all of this with iptables-restore, just that |
48 |
> you're punishing yourself for little benefit if you do. |
49 |
> |
50 |
|
51 |
One benefit of being familiar with iptables-save and iptables-restore : you |
52 |
can use iptables-apply. |
53 |
|
54 |
Might save your sanity if you fat-fingered your iptables rule. |
55 |
|
56 |
Just do `iptables-apply -t 180 <( preprocessor.sh new-rules.conf)`. Changes |
57 |
are done atomically. After 180 seconds, if you don't indicate to |
58 |
iptables-apply that the changes are proper, it atomically reverts the whole |
59 |
netfilter tables. |
60 |
|
61 |
bash scripts are powerful, but there might be unexpected cases that render |
62 |
the netfilter tables to be wildly different from what you actually want. |
63 |
|
64 |
The file format used by iptables-{save,restore,apply} is more like a |
65 |
domain-specific language; less chance of partial mistakes. And it's atomic: |
66 |
Either everything gets applied, or none gets applied (without clobbering |
67 |
existing in-effect rules). |
68 |
|
69 |
Rgds, |
70 |
-- |