| 1 |
On 03/10/2013 20:27, Grant Edwards wrote: |
| 2 |
> Let's say you wanted to configure routing of TCP packets based on destination |
| 3 |
> port like in this example: |
| 4 |
> |
| 5 |
> http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html |
| 6 |
> |
| 7 |
> [which contains a series of 'ip' and 'iptables' commands to get packets |
| 8 |
> destined for port 25 to use a specific gateway.] |
| 9 |
> |
| 10 |
> How do do this the "right" way on a Gentoo system? |
| 11 |
> |
| 12 |
> Based on reading http://www.gentoo.org/doc/en/home-router-howto.xml, I think |
| 13 |
> I've figured out how to do the iptables part: you enter the 'iptables' |
| 14 |
> commands by hand to get the iptables set up the way you want, then you do |
| 15 |
> this: |
| 16 |
> |
| 17 |
> # /etc/init.d/iptables save |
| 18 |
> # rc-update add iptables default |
| 19 |
|
| 20 |
The iptables runscript is ideal for persisting the rules. However, |
| 21 |
during the initial construction of a non-trivial ruleset, I prefer to |
| 22 |
write a script that adds the rules. An elegant way of doing this is to |
| 23 |
use iptables-restore with a heredoc. The method - and its advantages - |
| 24 |
are described in this document (section 3): |
| 25 |
|
| 26 |
http://inai.de/documents/Perfect_Ruleset.pdf |
| 27 |
|
| 28 |
> What about the 'ip' commands required to set up the tables, routes, and |
| 29 |
> rules? Do those go in a startup script somewhere? Does one just edit |
| 30 |
> /etc/iproute2/rt_tables by hand? One would assume route configuration belongs |
| 31 |
|
| 32 |
I would use the files under /etc/iproute2 for their intended purpose and |
| 33 |
a postup() hook in conf.d/net for anything else. When the postup() |
| 34 |
function is entered, the IFACE variable is automatically set to the name |
| 35 |
of the interface that triggered the event. Anything that is valid bash |
| 36 |
can go there. |
| 37 |
|
| 38 |
> in /etc/conf.d/net -- I've read through the advanced networking stuff in the |
| 39 |
> handbook, but it's not apparent to me where those 'ip' command belong. |
Archives