iptables-restore help

iptables-restore help

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 905 bytes --]

Hi,
I am learning to use iptables.
I have gone through FAQ and tutorials but have two problems :
 
1) I can create rules, delete rules, save rules with "iptables-save" command. But can not use "iptables-restore" properly. my iptables file is in at /etc/sysconfig/iptables
I am using Redhat Linux 8.0, iptables 1.2.6a version.
 
Whatever rule I have saved goes off when i reboot system. As I have understood after using "iptables-restore" command, it should save rules in /etc/sysconfig/iptables file. So that when system reboots automatically it will be implimented.
 
2) I have set rule "iptables -A INPUT -i eth0 -m state --state NEW -m limit --limit 1 -j LOG" so that i can go through logs of NEW users tryong to connect to server. These are saved in which file? 
Help appreciated.
 
Thanks 

 
 


---------------------------------
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search

[-- Attachment #2: Type: text/html, Size: 1203 bytes --]

Re: iptables-restore help

[Daniel Chemko]

[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]

iptables doesn't inherently save state data. Redhat 8.0 might do 
something along those lines, but if you are really trying to play with 
the iptables rules, it is probably best to disable the redhat stuff and 
build your own startup / shutdown scripts so that you really know what 
is going on under the hood.

ads nat wrote:

> Hi,
> I am learning to use iptables.
> I have gone through FAQ and tutorials but have two problems :
>  
> 1) I can create rules, delete rules, save rules with "iptables-save" 
> command. But can not use "iptables-restore" properly. my iptables file 
> is in at /etc/sysconfig/iptables
> I am using Redhat Linux 8.0, iptables 1.2.6a version.
>  
> Whatever rule I have saved goes off when i reboot system. As I have 
> understood after using "iptables-restore" command, it should save 
> rules in /etc/sysconfig/iptables file. So that when system reboots 
> automatically it will be implimented.
>  
> 2) I have set rule "iptables -A INPUT -i eth0 -m state --state NEW -m 
> limit --limit 1 -j LOG" so that i can go through logs of NEW users 
> tryong to connect to server. These are saved in which file?
> Help appreciated.
>  
> Thanks 
>  
>  
> ------------------------------------------------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping 
> <http://shopping.yahoo.com/?__yltc=s%3A150000443%2Cd%3A22708228%2Cslk%3Atext%2Csec%3Amail> 
> - with improved product search 


[-- Attachment #2: Type: text/html, Size: 1878 bytes --]

Re: iptables-restore help

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 1426 bytes --]

Please guide me how to do this otherwise.
Thanks.

Daniel Chemko <dchemko@smgtec.com> wrote:
iptables doesn't inherently save state data. Redhat 8.0 might do something along those lines, but if you are really trying to play with the iptables rules, it is probably best to disable the redhat stuff and build your own startup / shutdown scripts so that you really know what is going on under the hood.

ads nat wrote:
Hi,
I am learning to use iptables.
I have gone through FAQ and tutorials but have two problems :
 
1) I can create rules, delete rules, save rules with "iptables-save" command. But can not use "iptables-restore" properly. my iptables file is in at /etc/sysconfig/iptables
I am using Redhat Linux 8.0, iptables 1.2.6a version.
 
Whatever rule I have saved goes off when i reboot system. As I have understood after using "iptables-restore" command, it should save rules in /etc/sysconfig/iptables file. So that when system reboots automatically it will be implimented.
 
2) I have set rule "iptables -A INPUT -i eth0 -m state --state NEW -m limit --limit 1 -j LOG" so that i can go through logs of NEW users tryong to connect to server. These are saved in which file? 
Help appreciated.
 
Thanks 

 
 

---------------------------------
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search 

---------------------------------
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search

[-- Attachment #2: Type: text/html, Size: 2142 bytes --]

Re: iptables-restore help

[ads nat]

I got it.
command to save iptables rule to
/etc/sysconfig/iptables for Redhat 8.0 is
"/sbin/service iptables save"

Thanks

--- ads nat <adsnat@yahoo.com> wrote:
> Please guide me how to do this otherwise.
> Thanks.
> 
> Daniel Chemko <dchemko@smgtec.com> wrote:
> iptables doesn't inherently save state data. Redhat
> 8.0 might do something along those lines, but if you
> are really trying to play with the iptables rules,
> it is probably best to disable the redhat stuff and
> build your own startup / shutdown scripts so that
> you really know what is going on under the hood.
> 
> ads nat wrote:
> Hi,
> I am learning to use iptables.
> I have gone through FAQ and tutorials but have two
> problems :
>  
> 1) I can create rules, delete rules, save rules with
> "iptables-save" command. But can not use
> "iptables-restore" properly. my iptables file is in
> at /etc/sysconfig/iptables
> I am using Redhat Linux 8.0, iptables 1.2.6a
> version.
>  
> Whatever rule I have saved goes off when i reboot
> system. As I have understood after using
> "iptables-restore" command, it should save rules in
> /etc/sysconfig/iptables file. So that when system
> reboots automatically it will be implimented.
>  
> 2) I have set rule "iptables -A INPUT -i eth0 -m
> state --state NEW -m limit --limit 1 -j LOG" so that
> i can go through logs of NEW users tryong to connect
> to server. These are saved in which file? 
> Help appreciated.
>  
> Thanks 
> 
>  
>  
> 
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product
> search 
> 
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product
search


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: iptables-restore help

[John A. Sullivan III]

	Did you remember to redirect the output of iptables-restore to
/etc/sysconfig/iptables? Otherwise it just dumps it to stdout.
	If you use only a small number of rules, it may be easier to rewrite
the scripts as suggested in another response and use the regular
iptables syntax.  However, if you use large numbers of rules, you will
face a very serious degradation in the time it takes to load iptables. 
On slow machines, I can see a noticeable difference even with only a
handful of rules.  If you have an installation that involves thousands
or tens of thousands of rules, the device may become nearly unusable.
	We have rewritten the scripts for our ISCS project but still use the
iptables-restore command and syntax to load our rules.  There is
painfully little documentation on the iptables-restore syntax.  If you
need more information about it, let me know and I'll post some of our
engineering documents about using it.
	The following is an excerpt from an e-mail to our engineering team to
describe the problem.  lotsarules is a script we used to generate
meaningless rules for testing the rule load times and proto-PEP is a
test hardware appliance for use with the ISCS project
(http://iscs.sourceforge.net):

 My crude benchmarks show that iptables can load a small number (few
thousand) of rules very quickly but has trouble handling large numbers
of rules. It is not a linear increase. That is, large numbers of rules
not only take longer because there are more rules but the rate at which
rules can be added seems to slow in proportion to the number of existing
rules.
    Here are the actual tests and results:
My laptop - PIII 750 w/256 MB RAM
ran lotsarules for 30 minutes and added 19,533 rules = 651/minute = 11/s

I thought that the problem may be all the calls to disk to run iptables
so I ran lotsarules on the RAM based Proto-PEP for 30 minutes and added 
14807 rules = 493/minutes = 8/second!

    That seems awfully slow so I ran some more test on my laptop. When I
ran lotsarules for only one minute, I added 3584 rules - quite a bit
more than 651 per minute.
    I then flushed those rules and ran lotsarules on my laptop for 15
minutes. I added 13789 rules = 919/minute.
    I wasn't sure if the problem was running the same script constantly
from memory or the sheer number of rules. So I next ran lotsarules for
one more minute WITHOUT first flushing the existing 13789 rules. In one
minute I added only 445 more rules. It appears that the problem is the
raw number of rules.
    Thus, increasing the number of rules by a factor of say three, does
more than make the box three times slower to boot. It will have some
kind of exponential impact.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net