Re: [SOLVED] Routing locally generated traffic on fwmark

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ed W <lists@wildgooses.com>
To: Pandu Poluan <pandu@poluan.info>
Cc: Andrew Beverley <andy@andybev.com>, netfilter@vger.kernel.org
Subject: Re: [SOLVED] Routing locally generated traffic on fwmark
Date: Sun, 02 Oct 2011 14:11:50 +0100	[thread overview]
Message-ID: <4E886316.9030502@wildgooses.com> (raw)
In-Reply-To: <CAA2qdGXAVVu5FwxGDmEztWTNq5=9q+oauo09nx2nH7nQyj3riw@mail.gmail.com>

On 29/09/2011 09:29, Pandu Poluan wrote:
> That's why I now no longer write iptables commands directly on the
> shell. I keep my firewall rules in a file /etc/opt/firewall, and if I
> need to add new rules, I just do: `vi /etc/opt/firewall &&
> iptables-restore < /etc/opt/firewall`
>
> (Of course, to seed the file I'd do `iptables-save > /etc/opt/firewall` )
>
> This has the added benefit of allowing me to document all firewall
> changes by doing `hg commit` followed by `hg push` to a local
> Mercurial repository.
>
> (The reason why I put the rules in /etc/opt instead of /etc is so that
> I don't have to create an .hgignore file)
>

Can I also leave a plug for shorewall for similar reasons.  It is a
fairly thin wrapper over iptables (etc), but it allows you to think at a
slightly higher level and wraps things such as setting/restoring fwmarks
and routing, breaks them out from the general access rules.

I find it picks a very nice level between firewall guis and raw editing
of iptables commands.  Give it a try.

Also it's text file based so it's very easy to track via some source
code control system

Cheers

Ed W

next prev parent reply	other threads:[~2011-10-02 13:11 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-28 22:20 Routing locally generated traffic on fwmark Andrew Beverley
2011-09-29  6:51 ` Andrew Beverley
2011-09-29  7:32   ` Pandu Poluan
2011-09-29  7:53     ` [SOLVED] " Andrew Beverley
2011-09-29  8:29       ` Pandu Poluan
2011-10-02 13:11         ` Ed W [this message]
2011-09-29 10:28   ` Jan Engelhardt
2011-09-29 17:28     ` Andrew Beverley
2011-09-29 17:35       ` Jan Engelhardt
2011-09-29 17:46         ` Andrew Beverley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E886316.9030502@wildgooses.com \
    --to=lists@wildgooses.com \
    --cc=andy@andybev.com \
    --cc=netfilter@vger.kernel.org \
    --cc=pandu@poluan.info \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.