| 1 |
On 2013-10-03, Kerin Millar <kerframil@×××××××××××.uk> wrote: |
| 2 |
> On 03/10/2013 20:27, Grant Edwards wrote: |
| 3 |
> |
| 4 |
>> Let's say you wanted to configure routing of TCP packets based on |
| 5 |
>> destination port like in this example: |
| 6 |
>> |
| 7 |
>> http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html |
| 8 |
>> |
| 9 |
>> [which contains a series of 'ip' and 'iptables' commands to get packets |
| 10 |
>> destined for port 25 to use a specific gateway.] |
| 11 |
>> |
| 12 |
>> How do do this the "right" way on a Gentoo system? |
| 13 |
|
| 14 |
[Where to put iptables and ip routing config/commands] |
| 15 |
|
| 16 |
> The iptables runscript is ideal for persisting the rules. However, |
| 17 |
> during the initial construction of a non-trivial ruleset, I prefer to |
| 18 |
> write a script that adds the rules. An elegant way of doing this is to |
| 19 |
> use iptables-restore with a heredoc. The method - and its advantages - |
| 20 |
> are described in this document (section 3): |
| 21 |
> |
| 22 |
> http://inai.de/documents/Perfect_Ruleset.pdf |
| 23 |
|
| 24 |
Excellent reference. |
| 25 |
|
| 26 |
>> What about the 'ip' commands required to set up the tables, routes, |
| 27 |
>> and rules? Do those go in a startup script somewhere? Does one just |
| 28 |
>> edit /etc/iproute2/rt_tables by hand? One would assume route |
| 29 |
>> configuration belongs |
| 30 |
> |
| 31 |
> I would use the files under /etc/iproute2 for their intended purpose |
| 32 |
> and a postup() hook in conf.d/net for anything else. When the |
| 33 |
> postup() function is entered, the IFACE variable is automatically set |
| 34 |
> to the name of the interface that triggered the event. Anything that |
| 35 |
> is valid bash can go there. |
| 36 |
|
| 37 |
Cool. That's the main piece I hadn't figured out yet. Thanks! |
| 38 |
|
| 39 |
-- |
| 40 |
Grant Edwards grant.b.edwards Yow! Now KEN and BARBIE |
| 41 |
at are PERMANENTLY ADDICTED to |
| 42 |
gmail.com MIND-ALTERING DRUGS ... |
Archives