iptables script file

iptables script file

[Deepak Seshadri]

Hello everybody,

So far I have been writing all the iptables commands in a file & ran it in a
terminal (bash filename). Then I do the "service iptables save" to save &
load the configuration during boot-up. Pretty soon the configuration file is
going to have around 800 commands & this file is modified quite often. So
for the changes to reflect in run-time I do a "bash <script-file>".
Somewhere I read that loading that many commands using "bash <script-file>"
is not recommended (Is this true?). So I started searching in Google for
other alternatives. I came across the following:

- Use rc.firewall (I don't know if its in /etc or /etc/init.d or what)
- Use /etc/firewall.conf
- Use /etc/init.d/firewall

Could someone tell me which file to use? In Fedora core 2 I found only
/etc/rc.d/init.d/iptables.
Which way would be easy to load a huge script that would be modified quite
often?

OS specs:
Fedora Core 2
Kernel 2.6.8.1
Iptables 1.2.11

Hardware:
2.8Ghz P4
1 GB RAM

Thank you,

Deepak Seshadri

Re: iptables script file

[Kenneth Porter]

--On Monday, October 25, 2004 5:26 PM -0400 Deepak Seshadri 
<dseshadri@broadbandmaritime.com> wrote:

> Which way would be easy to load a huge script that would be modified quite
> often?

iptables-restore

The save format is a little weird at first but it's not too hard to see how 
it matches your iptables commands. I now modify /etc/sysconfig/iptables 
directly. (This is the save file used on Red Hat systems to reload the 
firewall at boot time.)

If I understand things correctly, iptables-restore makes a single kernel 
call with only one lock, so it's very efficient at loading the tables into 
the kernel.

Change your script to write your rules into the save format and then invoke 
iptables-restore to load it. This is actually pretty simple, as most of 
your iptables commands will be replaced with "echo ${RULEBODY} > 
${SAVEFILE}" (where RULEBODY is the parameters to your old iptables 
command).

RE: iptables script file

[Deepak Seshadri]

Hello everybody,

Kenneth: Thank you very much for the reply. I'll look into this option.

Does anybody have any other suggestion? How does everyone load their
rule-set?

My original mail:
"So far I have been writing all the iptables commands in a file & ran it in
a terminal (bash filename). Then I do the "service iptables save" to save &
load the configuration during boot-up. Pretty soon the configuration file is
going to have around 800 commands & this file is modified quite often. So
for the changes to reflect in run-time I do a "bash <script-file>".
Somewhere I read that loading that many commands using "bash <script-file>"
is not recommended (Is this true?). So I started searching in Google for
other alternatives. I came across the following:

- Use rc.firewall (I don't know if its in /etc or /etc/init.d or what)
- Use /etc/firewall.conf
- Use /etc/init.d/firewall

Could someone tell me which file to use? In Fedora core 2 I found only
/etc/rc.d/init.d/iptables.
Which way would be easy to load a huge script that would be modified quite
often?

OS specs:
Fedora Core 2
Kernel 2.6.8.1
Iptables 1.2.11"

Any help will be greatly appreciated.
Thank you,

Deepak Seshadri

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Kenneth Porter
> Sent: Monday, October 25, 2004 5:29 PM
> To: 'Netfilter Group'
> Subject: Re: iptables script file
> 
> > Which way would be easy to load a huge script that would be modified
> quite
> > often?
> 
> iptables-restore
> 
> The save format is a little weird at first but it's not too hard to see
> how
> it matches your iptables commands. I now modify /etc/sysconfig/iptables
> directly. (This is the save file used on Red Hat systems to reload the
> firewall at boot time.)
> 
> If I understand things correctly, iptables-restore makes a single kernel
> call with only one lock, so it's very efficient at loading the tables into
> the kernel.
> 
> Change your script to write your rules into the save format and then
> invoke
> iptables-restore to load it. This is actually pretty simple, as most of
> your iptables commands will be replaced with "echo ${RULEBODY} >
> ${SAVEFILE}" (where RULEBODY is the parameters to your old iptables
> command).
> 
> 

Re: iptables script file

[Jason Opperisano]

On Thu, Oct 28, 2004 at 09:56:36AM -0400, Deepak Seshadri wrote:
> Hello everybody,
> 
> Kenneth: Thank you very much for the reply. I'll look into this option.
> 
> Does anybody have any other suggestion? How does everyone load their
> rule-set?

here's the state-of-the-union:

loading rules from a script that issues "iptables -A ..." commands over
& over again is not "efficient."  whether this inefficiency is a problem
or not depends on the number of rules being loaded.  the firewall i'm
testing with uses an actual ruleset of ~100 rules and takes less than 5
seconds to load:

  time ./fw start

  real    0m4.632s
  user    0m0.300s
  sys     0m4.310s

here's an example using a script that loads 1024 rules of the form:

  iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW \
    -s 10.x.y.1/24 -j ACCEPT

  (where x and y are incremented via a for loop)

  # time ./addrules

  real    0m20.855s
  user    0m0.410s
  sys     0m20.440s

now, let's do an "iptables-save" on those loaded rules, and see how long
an "iptables-restore" takes:

  # time iptables-restore 1000rules.save

  real    0m1.253s
  user    0m0.080s
  sys     0m1.130s

all these tests are performed on the same machine:

Linux vmg2 2.4.26-gentoo-r9 #2 Fri Sep 3 07:13:35 EDT 2004 i686 Intel(R)
Pentium(R) M processor 1.70GHz GenuineIntel GNU/Linux

192 MB RAM

so, the upshot is this--if your ruleset is sufficiently large to make
the inefficiency of scripted "iptables" commands a problem--you'll need
to use "iptables-restore" to load your rules.  once you get the hang of
it, it really isn't that hard to just edit the "iptables-restore" file
format (even though this isn't "recommended").

hope this helps...

-j

-- 
Jason Opperisano <opie@817west.com>

Re: iptables script file

[Jose Maria Lopez]

El jue, 28 de 10 de 2004 a las 17:05, Jason Opperisano escribió:
> so, the upshot is this--if your ruleset is sufficiently large to make
> the inefficiency of scripted "iptables" commands a problem--you'll need
> to use "iptables-restore" to load your rules.  once you get the hang of
> it, it really isn't that hard to just edit the "iptables-restore" file
> format (even though this isn't "recommended").

Don't know why everybody talks about the problem of editing the
iptables-save file. You don't need to do it. You just save the script
that generates the iptables-save rules and you edit it when you need
it, then you generate the rules and do a new iptables-save. No problem
here.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

RE: iptables script file

[Deepak Seshadri]

Those who replied to my post, thank you very much. I guess the unanimous
answer is to edit the /etc/sysconfig/iptables file. I'll start modifying my
script to suit the format in this file.

Regards,

Deepak Seshadri

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Jason Opperisano
> Sent: Thursday, October 28, 2004 11:06 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: iptables script file
> 
> On Thu, Oct 28, 2004 at 09:56:36AM -0400, Deepak Seshadri wrote:
> > Hello everybody,
> >
> > Kenneth: Thank you very much for the reply. I'll look into this option.
> >
> > Does anybody have any other suggestion? How does everyone load their
> > rule-set?
> 
> here's the state-of-the-union:
> 
> loading rules from a script that issues "iptables -A ..." commands over
> & over again is not "efficient."  whether this inefficiency is a problem
> or not depends on the number of rules being loaded.  the firewall i'm
> testing with uses an actual ruleset of ~100 rules and takes less than 5
> seconds to load:
> 
>   time ./fw start
> 
>   real    0m4.632s
>   user    0m0.300s
>   sys     0m4.310s
> 
> here's an example using a script that loads 1024 rules of the form:
> 
>   iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW \
>     -s 10.x.y.1/24 -j ACCEPT
> 
>   (where x and y are incremented via a for loop)
> 
>   # time ./addrules
> 
>   real    0m20.855s
>   user    0m0.410s
>   sys     0m20.440s
> 
> now, let's do an "iptables-save" on those loaded rules, and see how long
> an "iptables-restore" takes:
> 
>   # time iptables-restore 1000rules.save
> 
>   real    0m1.253s
>   user    0m0.080s
>   sys     0m1.130s
> 
> all these tests are performed on the same machine:
> 
> Linux vmg2 2.4.26-gentoo-r9 #2 Fri Sep 3 07:13:35 EDT 2004 i686 Intel(R)
> Pentium(R) M processor 1.70GHz GenuineIntel GNU/Linux
> 
> 192 MB RAM
> 
> so, the upshot is this--if your ruleset is sufficiently large to make
> the inefficiency of scripted "iptables" commands a problem--you'll need
> to use "iptables-restore" to load your rules.  once you get the hang of
> it, it really isn't that hard to just edit the "iptables-restore" file
> format (even though this isn't "recommended").
> 
> hope this helps...
> 
> -j
> 
> --
> Jason Opperisano <opie@817west.com>

Re: iptables script file

[Michael Gale]

Hello,

	I am not to worried about speed as so much the administrative headache. 
You should try breaking your rules up, for example I have done the 
following:

rc.firewall
  - loads standard / global options (ip_forward, sets up user chains,..)
  - executes all other files.


We have a number of MAT addresses on our firewall - so each interface 
has it's own file and each MAT address has it's own file as well.

Also each MAT address and interface have it's own user defined chain. 
 From my perspective this provides the best efficient for the firewall 
because a packet gets passed to only 1 or 2 user chains and is only 
compared with rules that need to be applied.

Also if some one is making changes to a MAT address and they accidently 
break something, when they execute the file for updates to take affect 
they are only affecting that user defined chain (unless they really 
don't following the instructions). So the odds of affecting other 
network traffic go down.

Michael.



Deepak Seshadri wrote:
> Hello everybody,
> 
> Kenneth: Thank you very much for the reply. I'll look into this option.
> 
> Does anybody have any other suggestion? How does everyone load their
> rule-set?
> 
> My original mail:
> "So far I have been writing all the iptables commands in a file & ran it in
> a terminal (bash filename). Then I do the "service iptables save" to save &
> load the configuration during boot-up. Pretty soon the configuration file is
> going to have around 800 commands & this file is modified quite often. So
> for the changes to reflect in run-time I do a "bash <script-file>".
> Somewhere I read that loading that many commands using "bash <script-file>"
> is not recommended (Is this true?). So I started searching in Google for
> other alternatives. I came across the following:
> 
> - Use rc.firewall (I don't know if its in /etc or /etc/init.d or what)
> - Use /etc/firewall.conf
> - Use /etc/init.d/firewall
> 
> Could someone tell me which file to use? In Fedora core 2 I found only
> /etc/rc.d/init.d/iptables.
> Which way would be easy to load a huge script that would be modified quite
> often?
> 
> OS specs:
> Fedora Core 2
> Kernel 2.6.8.1
> Iptables 1.2.11"
> 
> Any help will be greatly appreciated.
> Thank you,
> 
> Deepak Seshadri
> 
> 
>>-----Original Message-----
>>From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
>>bounces@lists.netfilter.org] On Behalf Of Kenneth Porter
>>Sent: Monday, October 25, 2004 5:29 PM
>>To: 'Netfilter Group'
>>Subject: Re: iptables script file
>>
>>
>>>Which way would be easy to load a huge script that would be modified
>>
>>quite
>>
>>>often?
>>
>>iptables-restore
>>
>>The save format is a little weird at first but it's not too hard to see
>>how
>>it matches your iptables commands. I now modify /etc/sysconfig/iptables
>>directly. (This is the save file used on Red Hat systems to reload the
>>firewall at boot time.)
>>
>>If I understand things correctly, iptables-restore makes a single kernel
>>call with only one lock, so it's very efficient at loading the tables into
>>the kernel.
>>
>>Change your script to write your rules into the save format and then
>>invoke
>>iptables-restore to load it. This is actually pretty simple, as most of
>>your iptables commands will be replaced with "echo ${RULEBODY} >
>>${SAVEFILE}" (where RULEBODY is the parameters to your old iptables
>>command).
>>
>>
> 
> 
> 
> 
> 
> 
> 
> 

-- 
Michael Gale
Lan Administrator
Utilitran Corp.

The best part is when the people who know the least are the ones ranting 
and raving.

RE: iptables script file

[Gary Smith]

I love and have iptables-save.  We have a bunch of rules governing our LAN to DMZ, DMZ to INET and LAN to INET.  For simplicity we also have comments referring to what each rule is for.  We have certain one of exceptions and a mess of complicated ptp holes.

Iptables-save and restores failure is that it doesn't retain the additional comment information that we insert.  Though it's trivial it would be nice.

Gary Wayne Smith

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jose Maria Lopez
Sent: Saturday, October 30, 2004 2:00 PM
To: netfilter@lists.netfilter.org
Subject: Re: iptables script file

El jue, 28 de 10 de 2004 a las 17:05, Jason Opperisano escribió:
> so, the upshot is this--if your ruleset is sufficiently large to make
> the inefficiency of scripted "iptables" commands a problem--you'll need
> to use "iptables-restore" to load your rules.  once you get the hang of
> it, it really isn't that hard to just edit the "iptables-restore" file
> format (even though this isn't "recommended").

Don't know why everybody talks about the problem of editing the
iptables-save file. You don't need to do it. You just save the script
that generates the iptables-save rules and you edit it when you need
it, then you generate the rules and do a new iptables-save. No problem
here.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"