Re: Creating rules without the /sbin/iptables command?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Victor Julien <victor@nk.nl>
To: Netfilter Developers List <netfilter-devel@lists.netfilter.org>
Subject: Re: Creating rules without the /sbin/iptables command?
Date: Thu, 18 Mar 2004 13:52:13 +0100	[thread overview]
Message-ID: <40599B7D.8020804@nk.nl> (raw)
In-Reply-To: <1079609346.2009.9.camel@localhost>

John A. Sullivan III wrote:

<snip>

>>
>>Okay, lets see if I understand what you mean. Say i have an initial 
>>ruleset which looks like this, loaded with 'iptables-restore':
>>
>>*filter
>>:FORWARD DROP
>>-A FORWARD -p tcp -s 192.168.0.1 --dport 80 -j ACCEPT
>>-A FORWARD -p tcp -s 192.168.0.2 --dport 80 -j ACCEPT
>>-A FORWARD -p tcp -s 192.168.0.3 --dport 80 -j ACCEPT
>>COMMIT
>>
>>and sometime later i want to replace 192.168.0.2 by 192.168.0.4 (in 
>>exacty the same place):
>>
>>*filter
>>:FORWARD DROP
>>-D FORWARD -p tcp -s 192.168.0.2 --dport 80 -j ACCEPT
>>-I FORWARD 2 -p tcp -s 192.168.0.4 --dport 80 -j ACCEPT
>>COMMIT
>>
>>and then 'iptables-restore -n', right?
> 
> I believe that is correct although I also believe you can dispense with
> the :FORWARD DROP since you already had it in the first rule set and
> could also use 
> -R FORWARD 2 -p tcp -s 192.168.0.4 --dport -j ACCEPT
> to just replace the rule although I confess to never having tried that
> in an iptables-restore file
> 
>>But the easiest way is to recreate the initial ruleset with the updated 
>>rules would be:
>>
>>*filter
>>:FORWARD DROP
>>-A FORWARD -p tcp -s 192.168.0.1 --dport 80 -j ACCEPT
>>-A FORWARD -p tcp -s 192.168.0.4 --dport 80 -j ACCEPT
>>-A FORWARD -p tcp -s 192.168.0.3 --dport 80 -j ACCEPT
>>COMMIT
>>
>>and then just call iptables-restore. This way i wont have to calculate 
>>where i want to insert the rules, this can be quite complex on many 
>>changes in large rulessets. Is this correct?
> 
> Yes, although when ISCS is released (http://iscs.sourceforge.net), it
> will provide an alternative to having to track rule order (massive
> oversimplification here but it is not the topic at hand).

But how will ISCS handle this problem? Will it also create input for 
iptables-restore? Or do you have some other method?

> 
>>The last method should still be way faster than my current method, i 
>>guess. Is this right?
> 
> I have found it to be dramatically faster - John

Good!

Regards,
Victor

> 
>>Regards,
>>Victor

next prev parent reply	other threads:[~2004-03-18 12:52 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-17 18:46 Creating rules without the /sbin/iptables command? Victor Julien
2004-03-17 19:25 ` Cedric Blancher
2004-03-17 20:59   ` Victor Julien
2004-03-18  8:56     ` Cedric Blancher
2004-03-17 21:34   ` Henrik Nordstrom
2004-03-17 21:34     ` Henrik Nordstrom
2004-03-17 21:53     ` Victor Julien
2004-03-17 23:08       ` John A. Sullivan III
2004-03-17 23:45       ` Henrik Nordstrom
2004-03-17 23:59         ` John A. Sullivan III
2004-03-18  1:15           ` Henrik Nordstrom
2004-03-18  1:30             ` John A. Sullivan III
2004-03-18  1:34             ` Scott MacKay
2004-03-18  8:17               ` Henrik Nordstrom
2004-03-18  7:25         ` Victor Julien
2004-03-18  8:07           ` Henrik Nordstrom
2004-03-18 12:49             ` Victor Julien
2004-03-18 23:45               ` Henrik Nordstrom
2004-03-19 19:01                 ` Victor Julien
2004-03-19 22:03                   ` Henrik Nordstrom
2004-03-19 22:16                     ` Victor Julien
2004-03-19 22:41                       ` Henrik Nordstrom
2004-03-19 22:56                         ` Victor Julien
2004-03-20  1:52                           ` Henrik Nordstrom
2004-03-18 11:29           ` John A. Sullivan III
2004-03-18 12:52             ` Victor Julien [this message]
2004-03-18 14:12               ` John A. Sullivan III
2004-03-23 16:23     ` Adding packet metadata Scott MacKay
2004-03-24  0:06       ` Henrik Nordstrom
2004-03-24  7:38         ` Mike-Ro-Chanel
2004-03-24  8:01           ` Henrik Nordstrom
2004-03-24  8:18             ` Mike-Ro-Chanel
2004-03-24 11:52         ` Scott MacKay
2004-03-24 15:05           ` Henrik Nordstrom
2004-03-17 23:04   ` Creating rules without the /sbin/iptables command? John A. Sullivan III

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=40599B7D.8020804@nk.nl \
    --to=victor@nk.nl \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.