Saving IPTable rules..oops

Saving IPTable rules..oops

[Jason Williams]

Morning.

Well, spent a better part of the night playing with IPTables. Tried out 
some rules, tweaked this, broke that. Was a lot of fun.

Anyway, as I am getting ready to make one of my servers go live, I realized 
something that I completely overlooked. Very important thing I might add.

Basically, once you put all your rules into IPTables via the command line, 
how do you save your rules? I saw a command, iptables-save, but that just 
outputs the rules in a readable format.

I started thinking and came up with the following:

1) Does iptables read the init script in /etc/init.d/ upon bootup of a 
server/box and use those rules for the system?

or

2) Does it read a plain text file some where an use those rules instead?

wasn't quite sure and since im going on 22 hours without sleep, im positive 
I missed it some where.

With that in mind, was hoping someone could fill in the details.

IF it is the case the the system reads the iptables init script upon 
bootup/restart, that means I need to work on my scripting. :)

Anyways, hoping for a little clarity here.

Cheers,


Jason

Re: Saving IPTable rules..oops

[Deepak Seshadri]

> Morning.

Afternoon.

> Well, spent a better part of the night playing with IPTables. Tried out 
> some rules, tweaked this, broke that. Was a lot of fun.
>
> Anyway, as I am getting ready to make one of my servers go live, I 
> realized something that I completely overlooked. Very important thing I 
> might add.
>
> Basically, once you put all your rules into IPTables via the command line, 
> how do you save your rules? I saw a command, iptables-save, but that just 
> outputs the rules in a readable format.
>
> I started thinking and came up with the following:
>
> 1) Does iptables read the init script in /etc/init.d/ upon bootup of a 
> server/box and use those rules for the system?

YES.

> or
>
> 2) Does it read a plain text file some where an use those rules instead?

YES. /etc/sysconfig/iptables

> wasn't quite sure and since im going on 22 hours without sleep, im 
> positive I missed it some where.
>
> With that in mind, was hoping someone could fill in the details.
>
> IF it is the case the the system reads the iptables init script upon 
> bootup/restart, that means I need to work on my scripting. :)
>
> Anyways, hoping for a little clarity here.
>
> Cheers,
>
>
> Jason


You can do couple of things:
- After you enter your commands from a shell, you can do a *service iptables 
save*. All the commands that you had entered will be stored in the 
*iptables* file in /etc/sysconfig. By the way this is the file the system 
reads while boot up to load the firewall configuration.
- You can directly edit this file to add new commands (though it is not 
recommended, but I still do it 'coz it makes life easier) and then run 
*iptables-restore* to load the new configuration.

Hope this helps.

Deepak Seshadri 

Re: Saving IPTable rules..oops

[Jason Williams]

At 10:23 AM 12/29/2004, you wrote:
>You can do couple of things:
>- After you enter your commands from a shell, you can do a *service 
>iptables save*. All the commands that you had entered will be stored in 
>the *iptables* file in /etc/sysconfig. By the way this is the file the 
>system reads while boot up to load the firewall configuration.
>- You can directly edit this file to add new commands (though it is not 
>recommended, but I still do it 'coz it makes life easier) and then run 
>*iptables-restore* to load the new configuration.

Appreciate the help and feedback on this. Makes sense now.
One queston regarding the /etc/sysconfig/iptables file. In this file, can I 
put my variables in there? Such as: INET_IP=212.122.131.34, 
INET_IFACE="eth0" and so forth?
Or does that need to go somewhere else?

>Hope this helps.
>
>Deepak Seshadri

Thanks!

Jason 

Re: Saving IPTable rules..oops

[Deepak Seshadri]

From: "Jason Williams" <jwilliams@courtesymortgage.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, December 30, 2004 3:39 PM
Subject: Re: Saving IPTable rules..oops


> At 10:23 AM 12/29/2004, you wrote:
>>You can do couple of things:
>>- After you enter your commands from a shell, you can do a *service 
>>iptables save*. All the commands that you had entered will be stored in 
>>the *iptables* file in /etc/sysconfig. By the way this is the file the 
>>system reads while boot up to load the firewall configuration.
>>- You can directly edit this file to add new commands (though it is not 
>>recommended, but I still do it 'coz it makes life easier) and then run 
>>*iptables-restore* to load the new configuration.
>
> Appreciate the help and feedback on this. Makes sense now.
> One queston regarding the /etc/sysconfig/iptables file. In this file, can 
> I put my variables in there? Such as: INET_IP=212.122.131.34, 
> INET_IFACE="eth0" and so forth?
> Or does that need to go somewhere else?

I don't think you can put your variables in /etc/sysconfig/iptables file. It 
follows a particular pattern which is not that difficult to learn.

If you want to use variables and stuff, you gotta write your own script file 
and run it at bootup. I use do this way when my firewall rules were less 
than 50 lines.

Now my firewall rules are more than 500 lines so I edit the 
/etc/sysconfig/iptables file directly. It is just an efficient way to load 
the rules through this file.

>>Hope this helps.
>>
>>Deepak Seshadri
>
> Thanks!
>
> Jason
>
> 

Re: Saving IPTable rules..oops

[Jason Williams]

At 12:52 PM 12/30/2004, you wrote:
>I don't think you can put your variables in /etc/sysconfig/iptables file. 
>It follows a particular pattern which is not that difficult to learn.
>
>If you want to use variables and stuff, you gotta write your own script 
>file and run it at bootup. I use do this way when my firewall rules were 
>less than 50 lines.
>
>Now my firewall rules are more than 500 lines so I edit the 
>/etc/sysconfig/iptables file directly. It is just an efficient way to load 
>the rules through this file.


I see. so if i want to use variables, I need to edit/replace 
/etc/init.d/iptables then? with my own custom script?
Sounds like i need to brush up on my scripting. :)

Cheers,

Jason

Re: Saving IPTable rules..oops

[John A. Sullivan III]

On Thu, 2004-12-30 at 16:38, Jason Williams wrote:
> At 12:52 PM 12/30/2004, you wrote:
> >I don't think you can put your variables in /etc/sysconfig/iptables file. 
> >It follows a particular pattern which is not that difficult to learn.
> >
> >If you want to use variables and stuff, you gotta write your own script 
> >file and run it at bootup. I use do this way when my firewall rules were 
> >less than 50 lines.
> >
> >Now my firewall rules are more than 500 lines so I edit the 
> >/etc/sysconfig/iptables file directly. It is just an efficient way to load 
> >the rules through this file.
> 
> 
> I see. so if i want to use variables, I need to edit/replace 
> /etc/init.d/iptables then? with my own custom script?
> Sounds like i need to brush up on my scripting. :)
> 
> Cheers,
> 
> Jason
> 
> 
> 
You could run a script to create the rules and then save them to the
iptables file.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Saving IPTable rules..oops

[John A. Sullivan III]

On Wed, 2004-12-29 at 13:03, Jason Williams wrote:
> Morning.
> 
> Well, spent a better part of the night playing with IPTables. Tried out 
> some rules, tweaked this, broke that. Was a lot of fun.
> 
> Anyway, as I am getting ready to make one of my servers go live, I realized 
> something that I completely overlooked. Very important thing I might add.
> 
> Basically, once you put all your rules into IPTables via the command line, 
> how do you save your rules? I saw a command, iptables-save, but that just 
> outputs the rules in a readable format.
> 
> I started thinking and came up with the following:
> 
> 1) Does iptables read the init script in /etc/init.d/ upon bootup of a 
> server/box and use those rules for the system?
> 
> or
> 
> 2) Does it read a plain text file some where an use those rules instead?
> 
> wasn't quite sure and since im going on 22 hours without sleep, im positive 
> I missed it some where.
> 
> With that in mind, was hoping someone could fill in the details.
> 
> IF it is the case the the system reads the iptables init script upon 
> bootup/restart, that means I need to work on my scripting. :)
> 
> Anyways, hoping for a little clarity here.
> 
> Cheers,
> 
> 
> Jason
The way I've typically seen it work is that the init.d/iptables script
calls iptables-restore and passes it the /etc/sysconfig/iptables file. 
This file is written when you do init.d/iptables save.

If you really want to get fancy, you can save separate files in the
iptables-restore syntax (not particularly well documented) and adapt the
iptables script.  We do this in the ISCS network security management
project (http://iscs.sourceforge.net) to first boot the gateway into a
"safe" mode, i.e., almost nothing but DNS, NTP and SSH allowed.  We then
do things like set up specialized routing, enable the VPN and then load
a series of shared and local configuration files using iptables-restore
-n

Hope this makes sense after you get some sleep  :-( )  (big yawn)
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com

Re: Saving IPTable rules..oops

[R. DuFresne]

On Wed, 29 Dec 2004, John A. Sullivan III wrote:

> On Wed, 2004-12-29 at 13:03, Jason Williams wrote:
> > Morning.
> > 
> > Well, spent a better part of the night playing with IPTables. Tried out 
> > some rules, tweaked this, broke that. Was a lot of fun.
> > 
> > Anyway, as I am getting ready to make one of my servers go live, I realized 
> > something that I completely overlooked. Very important thing I might add.
> > 
> > Basically, once you put all your rules into IPTables via the command line, 
> > how do you save your rules? I saw a command, iptables-save, but that just 
> > outputs the rules in a readable format.
> > 
> > I started thinking and came up with the following:
> > 
> > 1) Does iptables read the init script in /etc/init.d/ upon bootup of a 
> > server/box and use those rules for the system?
> > 
> > or
> > 
> > 2) Does it read a plain text file some where an use those rules instead?
> > 
> > wasn't quite sure and since im going on 22 hours without sleep, im positive 
> > I missed it some where.
> > 
> > With that in mind, was hoping someone could fill in the details.
> > 
> > IF it is the case the the system reads the iptables init script upon 
> > bootup/restart, that means I need to work on my scripting. :)
> > 
> > Anyways, hoping for a little clarity here.
> > 
> > Cheers,
> > 
> > 
> > Jason
> The way I've typically seen it work is that the init.d/iptables script
> calls iptables-restore and passes it the /etc/sysconfig/iptables file. 
> This file is written when you do init.d/iptables save.


perhaps on redhat and debian, and maybe suse systems that have moved away
from the standard upon which linux was formed, namely bsd.  Those dists
that retain their bsd layouts have no /etc/init.d directory, everything
lies under /etc/rc.d/.  They also lack the red-hat layout of a
/etc/sysconfig/ directory.  And it's a shame things are seperating out in
the linux world like this as many of the tools and toys bewing created
either conform to the new redhat layouts or follow older established
standards.  Thus, some tools that have been coming out the past few years
are only good under redhat or debian or suse, and fail to function if they
compile at all, without being hacked prior to a make, and sometimes my
skills are not enough to hack them into compiling at all uunder a
different, more standard dist. <sigh>


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: Saving IPTable rules..oops

[Jason Opperisano]

On Wed, 2004-12-29 at 15:15, R. DuFresne wrote:
> perhaps on redhat and debian, and maybe suse systems that have moved away
> from the standard upon which linux was formed, namely bsd. 

linux has no roots in *BSD.  linux uses the concepts of run levels;
wheres *BSD does not.  run levels are a concept taken from System V
style systems like Solaris 2.x+. 

>  Those dists
> that retain their bsd layouts have no /etc/init.d directory, everything
> lies under /etc/rc.d/.  They also lack the red-hat layout of a
> /etc/sysconfig/ directory.  And it's a shame things are seperating out in
> the linux world like this as many of the tools and toys bewing created
> either conform to the new redhat layouts or follow older established
> standards.  Thus, some tools that have been coming out the past few years
> are only good under redhat or debian or suse, and fail to function if they
> compile at all, without being hacked prior to a make, and sometimes my
> skills are not enough to hack them into compiling at all uunder a
> different, more standard dist. <sigh>

the linux standards base is an attempt to address your concerns:

  http://www.linuxbase.org/

my guess is that the /etc/sysconfig/ concept will be part of it (if it's
not already--i haven't read through the whole thing).

-j

--
"Another day, another box of stolen pens."
	--The Simpsons

Re: Saving IPTable rules..oops

[R. DuFresne]

On Wed, 29 Dec 2004, Jason Opperisano wrote:

> On Wed, 2004-12-29 at 15:15, R. DuFresne wrote:
> > perhaps on redhat and debian, and maybe suse systems that have moved away
> > from the standard upon which linux was formed, namely bsd. 
> 
> linux has no roots in *BSD.  linux uses the concepts of run levels;
> wheres *BSD does not.  run levels are a concept taken from System V
> style systems like Solaris 2.x+. 


Although if continued <this thread> it may have to go off list <moved to  
another list?>, be renamed, etc, it might be argued that all things unix
are BSD based, at lesat since unix is often refered to as tcp/ip based
which did come out of BSD/Berkley.  Minix used a BSD based file system, as
did linux in it's early days, but, I digress, and will refrain, though
find such discusions interestingly fascinating <smile>...

> 
> >  Those dists
> > that retain their bsd layouts have no /etc/init.d directory, everything
> > lies under /etc/rc.d/.  They also lack the red-hat layout of a
> > /etc/sysconfig/ directory.  And it's a shame things are seperating out in
> > the linux world like this as many of the tools and toys bewing created
> > either conform to the new redhat layouts or follow older established
> > standards.  Thus, some tools that have been coming out the past few years
> > are only good under redhat or debian or suse, and fail to function if they
> > compile at all, without being hacked prior to a make, and sometimes my
> > skills are not enough to hack them into compiling at all uunder a
> > different, more standard dist. <sigh>
> 
> the linux standards base is an attempt to address your concerns:
> 
>   http://www.linuxbase.org/
> 

I tapped Mr Volkerding on this back when LSB2.0 was publically announced.
He was not keen to the whole concept.  How did he put it, something on the
order of it being an attempt to "getting everyone to agree that Red Hat is
the standard Linux".  Certification is not free, in fact it requires alot
of time, resources, work, and cash to do so.  Mr Volkerding stressed the
opinion that it was a fruitless endeavour that bloated the whole OS with
extended libs, and something less then a sane approach to
'standardization'.  I was left with the impression that Slackware will not
go the LSB route, at least not in the forseable future.

> my guess is that the /etc/sysconfig/ concept will be part of it (if it's
> not already--i haven't read through the whole thing).
> 

Not as of yet that I saw in the 2.1 version, /etc is not so deeply defined
that I saw, but, most likelyt Red-hat will get it's way....


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: Saving IPTable rules..oops

[Les Mikesell]

On Wed, 2004-12-29 at 14:15, R. DuFresne wrote:

> > The way I've typically seen it work is that the init.d/iptables script
> > calls iptables-restore and passes it the /etc/sysconfig/iptables file. 
> > This file is written when you do init.d/iptables save.
> 
> 
> perhaps on redhat and debian, and maybe suse systems that have moved away
> from the standard upon which linux was formed, namely bsd.

Linux is a kernel and it leans more in the sysV direction.  As I
recall, the early versions supported termio.h, not sgtty.h before things
converged to the posix termios.h

> Those dists
> that retain their bsd layouts have no /etc/init.d directory, everything
> lies under /etc/rc.d/. 

Retain?  Perhaps you mean 'were built separately', omitting the sysv
init functionality?

> And it's a shame things are seperating out in
> the linux world like this as many of the tools and toys bewing created
> either conform to the new redhat layouts or follow older established
> standards.  

SysV and bsd styles separated before Linux was invented. It's a shame
they never converged and that bsd style distributions still don't have
a decent way to start and stop services.

---
  Les Mikesell
   les@futuresource.com

Re: Saving IPTable rules..oops

[John A. Sullivan III]

On Wed, 2004-12-29 at 15:15, R. DuFresne wrote:
<snip>
> > > Jason
> > The way I've typically seen it work is that the init.d/iptables script
> > calls iptables-restore and passes it the /etc/sysconfig/iptables file. 
> > This file is written when you do init.d/iptables save.
> 
> 
> perhaps on redhat and debian, and maybe suse systems that have moved away
> from the standard upon which linux was formed, namely bsd.  Those dists
> that retain their bsd layouts have no /etc/init.d directory, everything
> lies under /etc/rc.d/.  They also lack the red-hat layout of a
> /etc/sysconfig/ directory.  And it's a shame things are seperating out in
> the linux world like this as many of the tools and toys bewing created
> either conform to the new redhat layouts or follow older established
> standards.  Thus, some tools that have been coming out the past few years
> are only good under redhat or debian or suse, and fail to function if they
> compile at all, without being hacked prior to a make, and sometimes my
> skills are not enough to hack them into compiling at all uunder a
> different, more standard dist. <sigh>
> 
> 
> Thanks,
> 
> Ron DuFresne

Thanks for pointing that out, Ron.  I was going to mention it but then
thought it would just muddy the waters.  We use both SYSV and BSD style
scripts in the ISCS project.  The iptables script in the rc directories
can still call iptables-restore and reference an iptables file.  That's
what we typically do.  If I recall correctly, isn't there also a step in
BSD style initiations that can call SYSV style scripts? I thought I
recalled seeing that on Slackware - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com

Re: Saving IPTable rules..oops

[Alistair Tonner]

On December 29, 2004 05:29 pm, John A. Sullivan III wrote:
> On Wed, 2004-12-29 at 15:15, R. DuFresne wrote:
> <snip>
>
> > > > Jason
> > >
> > > The way I've typically seen it work is that the init.d/iptables script
> > > calls iptables-restore and passes it the /etc/sysconfig/iptables file.
> > > This file is written when you do init.d/iptables save.
> >
> > perhaps on redhat and debian, and maybe suse systems that have moved away
> > from the standard upon which linux was formed, namely bsd.  Those dists
> > that retain their bsd layouts have no /etc/init.d directory, everything
> > lies under /etc/rc.d/.  They also lack the red-hat layout of a
> > /etc/sysconfig/ directory.  And it's a shame things are seperating out in
> > the linux world like this as many of the tools and toys bewing created
> > either conform to the new redhat layouts or follow older established
> > standards.  Thus, some tools that have been coming out the past few years
> > are only good under redhat or debian or suse, and fail to function if
> > they compile at all, without being hacked prior to a make, and sometimes
> > my skills are not enough to hack them into compiling at all uunder a
> > different, more standard dist. <sigh>
> >
> >
> > Thanks,
> >
> > Ron DuFresne
>
> Thanks for pointing that out, Ron.  I was going to mention it but then
> thought it would just muddy the waters.  We use both SYSV and BSD style
> scripts in the ISCS project.  The iptables script in the rc directories
> can still call iptables-restore and reference an iptables file.  That's
> what we typically do.  If I recall correctly, isn't there also a step in
> BSD style initiations that can call SYSV style scripts? I thought I
> recalled seeing that on Slackware - John


 And just to confuse things a tad Distro's like Gentoo /etc/inid.d/iptables 
calls iptables-save iptables-restore directly and uses params 
in /etc/conf.d/iptables to locate the file to feed into or out of 
iptables-save/iptables-restore.
 
       And if you are slightly insane as I am, you've modified the save 
function to keep x number of copies of the file in compressed format 
somewhere.

    What me paranoid?

 Alistair

Re: Saving IPTable rules..oops

[R. DuFresne]

On Wed, 29 Dec 2004, John A. Sullivan III wrote:

> On Wed, 2004-12-29 at 15:15, R. DuFresne wrote:
> <snip>
> > > > Jason
> > > The way I've typically seen it work is that the init.d/iptables script
> > > calls iptables-restore and passes it the /etc/sysconfig/iptables file. 
> > > This file is written when you do init.d/iptables save.
> > 
> > 
> > perhaps on redhat and debian, and maybe suse systems that have moved away
> > from the standard upon which linux was formed, namely bsd.  Those dists
> > that retain their bsd layouts have no /etc/init.d directory, everything
> > lies under /etc/rc.d/.  They also lack the red-hat layout of a
> > /etc/sysconfig/ directory.  And it's a shame things are seperating out in
> > the linux world like this as many of the tools and toys bewing created
> > either conform to the new redhat layouts or follow older established
> > standards.  Thus, some tools that have been coming out the past few years
> > are only good under redhat or debian or suse, and fail to function if they
> > compile at all, without being hacked prior to a make, and sometimes my
> > skills are not enough to hack them into compiling at all uunder a
> > different, more standard dist. <sigh>
> > 
> > 
> > Thanks,
> > 
> > Ron DuFresne
> 
> Thanks for pointing that out, Ron.  I was going to mention it but then
> thought it would just muddy the waters.  We use both SYSV and BSD style
> scripts in the ISCS project.  The iptables script in the rc directories
> can still call iptables-restore and reference an iptables file.  That's
> what we typically do.  If I recall correctly, isn't there also a step in
> BSD style initiations that can call SYSV style scripts? I thought I
> recalled seeing that on Slackware - John
> 

Which surprised me when first seeing it in early Slackware versions and to
this date, but, it's description seems to clarify;

sysvinit (init, the parent of all processes)

System V style init programs by Miquel van Smoorenburg
that control the booting and shutdown of your system. These support a
number of system runlevels, each with a specific set of utilities
spawned.  For example, the normal system runlevel is 3, which
starts agetty on virtual consoles tty1 - tty6. Runlevel 4 starts xdm.
Runlevel 0 shuts the system down.

Seems to more support others in this thread about the basis of linux
systems <GNU?> design...

Now the scripts do include a start;stop;restart functionality, that was
lacking in earlier versions <which one could easily add in earlier, I
still run a system with a modified 3.5 version of Slackware and had to add
that functionality to parts of the rc.* files I wanted the functionality
for...

Still all housed unter /etc/rc.d/

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: Saving IPTable rules..oops

[John A. Sullivan III]

On Wed, 2004-12-29 at 13:03, Jason Williams wrote:
> Morning.
> 
> Well, spent a better part of the night playing with IPTables. Tried out 
> some rules, tweaked this, broke that. Was a lot of fun.
> 
> Anyway, as I am getting ready to make one of my servers go live, I realized 
> something that I completely overlooked. Very important thing I might add.
> 
> Basically, once you put all your rules into IPTables via the command line, 
> how do you save your rules? I saw a command, iptables-save, but that just 
> outputs the rules in a readable format.
> 
> I started thinking and came up with the following:
> 
> 1) Does iptables read the init script in /etc/init.d/ upon bootup of a 
> server/box and use those rules for the system?
> 
> or
> 
> 2) Does it read a plain text file some where an use those rules instead?
> 
> wasn't quite sure and since im going on 22 hours without sleep, im positive 
> I missed it some where.
> 
> With that in mind, was hoping someone could fill in the details.
> 
> IF it is the case the the system reads the iptables init script upon 
> bootup/restart, that means I need to work on my scripting. :)
> 
> Anyways, hoping for a little clarity here.
> 
> Cheers,
> 
> 
> Jason

Oh, two more things.  We always use the iptables-restore in the ISCS
project (http://iscs.sourceforge.net) rather than scripts with iptables
commands because it is enormously faster.  The difference is noticeable
even on small rule sets but if your rule sets start to number in the
thousands, you can spend an hour trying to boot your gateway using
iptables commands.

If you use multiple scripts, remember to use iptables-restore -n.  Just
iptables-restore will overwrite any existing rules.  Take care - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com