From: "Bo Jacobsen" <subs@systemhouse.dk>
To: netfilter@lists.netfilter.org
Subject: Fw: iptables-save/restore question
Date: Tue, 17 Sep 2002 12:09:50 +0200 [thread overview]
Message-ID: <006b01c25e32$5ede5500$6307a8c0@net> (raw)
HI, I have tried the following:
I run some iptables commands then run iptables -L -n > testfile1 to save the setup.
Then I run iptables-restore testfile1 and than run iptables-save again:
iptables -L -n > testfile2
When I run diff on the two files (testfile1, testfile2) I can see that they are NOT the same.
In the following is an example of what diff finds different:
104,105c104,105
< ACCEPT tcp -- 192.168.7.0/24 0.0.0.0/0 state NEW,ESTABLISHED tcp spts:1024:65535 dpt:53
< ACCEPT tcp -- 0.0.0.0/0 192.168.7.0/24 state ESTABLISHED tcp spt:53 dpts:1024:65535
---
> ACCEPT tcp -- 192.168.7.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
> ACCEPT tcp -- 0.0.0.0/0 192.168.7.0/24 tcp spt:53 dpts:1024:65535 state ESTABLISHED
The first two lines are after running the iptables commands directly.
The result of the two command semantics are of course the same, but why is this happening.
The reason we want to make this test is that we need to be sure that the rules generated directly by
the iptables commands, are EXATLY the same as what the iptables-save/restore command pair does.
One thing is to test that the iptable commands works, another is to blindly trust that our 300 iptable rules
are correctly saved and restored by iptables-save/restore (a firewall with 4 different local lans).
If there is another way of confirming iptables-save/restore results, I would appreciate some info.
Thanks in advance
Bo Jacobsen
next reply other threads:[~2002-09-17 10:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-17 10:09 Bo Jacobsen [this message]
2002-09-17 12:45 ` Fw: iptables-save/restore question Anders Fugmann
2002-09-18 13:12 ` Bo Jacobsen
2002-09-17 13:39 ` Axel Heinrici
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='006b01c25e32$5ede5500$6307a8c0@net' \
--to=subs@systemhouse.dk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.