1 |
On 10/13/2013 06:08 AM, Martin Vaeth wrote: |
2 |
>>> 5. You can't script iptables-restore! |
3 |
>> |
4 |
>> Well, actually you can script iptables-restore. |
5 |
> |
6 |
> For those who are interested: |
7 |
> net-firewall/firewall-mv from the mv overlay |
8 |
> (available over layman) now provides a separate |
9 |
> firewall-scripted.sh |
10 |
> which can be conveniently used for such scripting. |
11 |
> |
12 |
|
13 |
You snipped the rest of my point =) |
14 |
|
15 |
> You can write a bash script that writes an iptables-restore script to |
16 |
> accomplish the same thing, but how much complexity are you willing to |
17 |
> add for next to no benefit? |
18 |
|
19 |
If you have a million rules and you need to wipe/reload them all |
20 |
frequently you're probably doing something wrong to begin with. |
21 |
|
22 |
With bash, you can leverage all of the features of bash that everybody |
23 |
already knows. You can read files, call shell commands, pipe between |
24 |
them, etc. You can write bash functions to avoid repetitive commands. |
25 |
You can write inline comments to explain what the rules do. |
26 |
|
27 |
Something like, |
28 |
|
29 |
# A function which sets up a static mapping between an external IP |
30 |
# address and an internal one. |
31 |
# |
32 |
# USAGE: static_nat <internal ip> <external ip> |
33 |
# |
34 |
function static_nat() { |
35 |
iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" |
36 |
iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" |
37 |
} |
38 |
|
39 |
can make your iptables script a lot cleaner, and it conveys your intent |
40 |
better when the rule is created: |
41 |
|
42 |
# Danny likes to torrent "linux isos" at work so he needs a public ip |
43 |
static_nat 192.168.1.x 1.2.3.x |
44 |
|
45 |
I'm not saying you can't do all of this with iptables-restore, just that |
46 |
you're punishing yourself for little benefit if you do. |