[PLUG] iptables Config' File

Jason Van Cleve jason at vancleve.com
Wed Nov 19 21:38:02 UTC 2003 

Interesting solution, but wouldn't your script need to delete the old tables before adding them again?  If you took a line out of it, you'd want that rule to go away when you ran the script, yeah?

--Jason V. C.


Quoth Sasha Romanosky, on Wed, 19 Nov 2003 19:36:10 -0800:

> 
> Jason, 
> 
> fwiw, I have an /etc/iptables that is a script beginning with 
> 	#!/bin/sh 
> 	/sbin/iptables bla bla bla
> 	...
> and ending with 
> 	/etc/init.d/iptables save
> 
> So on startup, it loads the formatted config. This also seemed like an
> easy way to update/test new configs just by running the script as
> necessary. 
> 
> The formatted config file seemed weird to me - a noticable difference
> from ipchains - so this was my quick fix. It should also make for a
> maintainable a portable configuration. 
> 
> hope this helps,
> sasha
> 
> > -----Original Message-----
> > From: plug-admin at lists.pdxlinux.org 
> > [mailto:plug-admin at lists.pdxlinux.org] On Behalf Of Jason Van Cleve
> > Sent: Wednesday, November 19, 2003 1:47 PM
> > To: plug at lists.pdxlinux.org
> > Subject: [PLUG] iptables Config' File
> > 
> > 
> > Quick question on iptables, which I'm finally getting around 
> > to setting up on my laptop.  I'd like to create a more or 
> > less permanent and reusable configuration file, one I can 
> > modify for use on other machines.  I've heard of many people 
> > writing explicit scripts to configure the filter (iptables -b 
> > blah-blah; iptables -blah; . . .), but I also notice that 
> > iptables-save creates a formatted config' instead of actual 
> > iptables commands.
> > 
> > Is it wise to just use that formatted output as a portable 
> > config' file?  That is, to SCP it to another machine and load 
> > it there with iptables-restore (even just as a starting 
> > point)?  Maybe it would be better to write a script, so that 
> > I can compare it with other people's; but my distro' is set 
> > up to use iptables-restore at boot time, so maintaining a 
> > script could be awkward.
> > 
> > --Jason Van Cleve
> > 
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org 
> > http://lists.pdxlinux.org/mailman/listinfo/plu> g
> > 
> 
> 
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list