| 1 |
On 10/13/2013 06:08 AM, Martin Vaeth wrote: |
| 2 |
>>> 5. You can't script iptables-restore! |
| 3 |
>> |
| 4 |
>> Well, actually you can script iptables-restore. |
| 5 |
> |
| 6 |
> For those who are interested: |
| 7 |
> net-firewall/firewall-mv from the mv overlay |
| 8 |
> (available over layman) now provides a separate |
| 9 |
> firewall-scripted.sh |
| 10 |
> which can be conveniently used for such scripting. |
| 11 |
> |
| 12 |
|
| 13 |
You snipped the rest of my point =) |
| 14 |
|
| 15 |
> You can write a bash script that writes an iptables-restore script to |
| 16 |
> accomplish the same thing, but how much complexity are you willing to |
| 17 |
> add for next to no benefit? |
| 18 |
|
| 19 |
If you have a million rules and you need to wipe/reload them all |
| 20 |
frequently you're probably doing something wrong to begin with. |
| 21 |
|
| 22 |
With bash, you can leverage all of the features of bash that everybody |
| 23 |
already knows. You can read files, call shell commands, pipe between |
| 24 |
them, etc. You can write bash functions to avoid repetitive commands. |
| 25 |
You can write inline comments to explain what the rules do. |
| 26 |
|
| 27 |
Something like, |
| 28 |
|
| 29 |
# A function which sets up a static mapping between an external IP |
| 30 |
# address and an internal one. |
| 31 |
# |
| 32 |
# USAGE: static_nat <internal ip> <external ip> |
| 33 |
# |
| 34 |
function static_nat() { |
| 35 |
iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" |
| 36 |
iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" |
| 37 |
} |
| 38 |
|
| 39 |
can make your iptables script a lot cleaner, and it conveys your intent |
| 40 |
better when the rule is created: |
| 41 |
|
| 42 |
# Danny likes to torrent "linux isos" at work so he needs a public ip |
| 43 |
static_nat 192.168.1.x 1.2.3.x |
| 44 |
|
| 45 |
I'm not saying you can't do all of this with iptables-restore, just that |
| 46 |
you're punishing yourself for little benefit if you do. |
Archives