From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ed W Subject: Re: [SOLVED] Routing locally generated traffic on fwmark Date: Sun, 02 Oct 2011 14:11:50 +0100 Message-ID: <4E886316.9030502@wildgooses.com> References: <1317248412.26402.39.camel@andybev-desktop> <1317279076.26402.52.camel@andybev-desktop> <1317282807.26402.58.camel@andybev-desktop> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: Pandu Poluan Cc: Andrew Beverley , netfilter@vger.kernel.org On 29/09/2011 09:29, Pandu Poluan wrote: > That's why I now no longer write iptables commands directly on the > shell. I keep my firewall rules in a file /etc/opt/firewall, and if I > need to add new rules, I just do: `vi /etc/opt/firewall && > iptables-restore < /etc/opt/firewall` > > (Of course, to seed the file I'd do `iptables-save > /etc/opt/firewall` ) > > This has the added benefit of allowing me to document all firewall > changes by doing `hg commit` followed by `hg push` to a local > Mercurial repository. > > (The reason why I put the rules in /etc/opt instead of /etc is so that > I don't have to create an .hgignore file) > Can I also leave a plug for shorewall for similar reasons. It is a fairly thin wrapper over iptables (etc), but it allows you to think at a slightly higher level and wraps things such as setting/restoring fwmarks and routing, breaks them out from the general access rules. I find it picks a very nice level between firewall guis and raw editing of iptables commands. Give it a try. Also it's text file based so it's very easy to track via some source code control system Cheers Ed W