iptables-save ?

iptables-save ?

[Joey]

Hello All,

 

I am considering writing my config out in an iptables-save format rather
than my list which gets loaded in a perl script which takes a long time.

In researching the file format I see # which is a comment, but what is a :
like the below lines?

Do I need these if I have my 

-A INPUT -j CIDR-ASIAN

-A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -p tcp -j LOG --log-prefix
"SPAM-BLOCK-CIDR-ASIAN" 

-A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -p tcp -m tcp --dport 25 -j DROP

 

If I do need them, does the sequence matter of when I execute my :CIDR-ASIAN
- [0:0] -vs- when I execute the above?

 

 

# Generated by iptables-save v1.2.11 on Wed Oct 22 04:14:00 2008

*filter

:INPUT ACCEPT [5420870:1818203807]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [6422769:3043272788]

:CIDR-ASIAN - [0:0]

:CIDR-CZECH - [0:0]

:CIDR-DROP - [0:0]

:CIDR-IISG - [0:0]

:CIDR-INDIA-KOREA - [0:0]

:CIDR-POLAND - [0:0]

:CIDR-RUSSIA - [0:0]

:CIDR-TURKEY - [0:0]

:CIDR-UK - [0:0]

:fail2ban-postfix - [0:0]

:fail2ban-postfix-log - [0:0]

 

Thanks,

 

Joey

Re: iptables-save ?

[Eljas Alakulppi]

Hey.

Yes, you do. They are the names of user-defined chains. If the chain does  
not exists, it will try to find module which is named as the target.

nanoha:~# cat ipsavetest
# Generated by iptables-save v1.3.6 on Wed Oct 22 09:02:02 2008
*filter
:INPUT ACCEPT [349743786:266090081750]
:FORWARD ACCEPT [1243465676:1104963760281]
:OUTPUT ACCEPT [270142137:311874029150]
-A INPUT -s 10.5.1.4 -j moo
COMMIT
# Completed on Wed Oct 22 09:02:02 2008
nanoha:~# iptables-restore ipsavetest
iptables-restore v1.3.6: Couldn't load target  
`moo':/lib/iptables/libipt_moo.so: cannot open shared object file: No such  
file or directory


-Eljas Alakulppi

On Wed, 22 Oct 2008 11:35:27 +0300, Joey <Joey@web56.net> wrote:

> Hello All,
>
>
> I am considering writing my config out in an iptables-save format rather
> than my list which gets loaded in a perl script which takes a long time.
>
> In researching the file format I see # which is a comment, but what is a  
> :
> like the below lines?
>
> Do I need these if I have my
>
> -A INPUT -j CIDR-ASIAN
>
> -A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -p tcp -j LOG --log-prefix
> "SPAM-BLOCK-CIDR-ASIAN"
>
> -A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -p tcp -m tcp --dport 25 -j DROP
>
>
> If I do need them, does the sequence matter of when I execute my  
> :CIDR-ASIAN
> - [0:0] -vs- when I execute the above?
>
>
>
> # Generated by iptables-save v1.2.11 on Wed Oct 22 04:14:00 2008
>
> *filter
>
> :INPUT ACCEPT [5420870:1818203807]
>
> :FORWARD ACCEPT [0:0]
>
> :OUTPUT ACCEPT [6422769:3043272788]
>
> :CIDR-ASIAN - [0:0]
>
> :CIDR-CZECH - [0:0]
>
> :CIDR-DROP - [0:0]
>
> :CIDR-IISG - [0:0]
>
> :CIDR-INDIA-KOREA - [0:0]
>
> :CIDR-POLAND - [0:0]
>
> :CIDR-RUSSIA - [0:0]
>
> :CIDR-TURKEY - [0:0]
>
> :CIDR-UK - [0:0]
>
> :fail2ban-postfix - [0:0]
>
> :fail2ban-postfix-log - [0:0]
>
>
> Thanks,
>
>
> Joey
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

RE: iptables-save ?

[Joey]

What significance do the numbers between the brackets have?

print ":INPUT ACCEPT [6180932:1244590784]\n";
print ":OUTPUT ACCEPT [6574901:1313953477]\n";

I got those from executing a iptables-save so I can see what format I needed
to match in generating my own save file from our IP DB.


Thanks!

Joey

Re: iptables-save ?

[Eljas Alakulppi]

First is the packets matched by this rule, second is bytes matched by this  
rule. In user-defined chains counters are always zero (of course, if the  
packet is matched by some of the rules, that rule's counter is updated).

-Eljas Alakulppi

On Wed, 22 Oct 2008 16:26:37 +0300, Joey <Joey@web56.net> wrote:

> What significance do the numbers between the brackets have?
>
> print ":INPUT ACCEPT [6180932:1244590784]\n";
> print ":OUTPUT ACCEPT [6574901:1313953477]\n";
>
> I got those from executing a iptables-save so I can see what format I  
> needed
> to match in generating my own save file from our IP DB.
>
>
> Thanks!
>
> Joey
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: iptables-save ?

[Joey]

> -----Original Message-----
> From: Eljas Alakulppi [mailto:Buzer@buzer.net]
> Sent: Wednesday, October 22, 2008 9:40 AM
> To: Joey; IPTables
> Subject: Re: iptables-save ?
> 
> First is the packets matched by this rule, second is bytes matched by this
> rule. In user-defined chains counters are always zero (of course, if the
> packet is matched by some of the rules, that rule's counter is updated).
> 
> -Eljas Alakulppi
> 

Hi Eljas,

So since I am generating this file through my own code should I put 
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]



> On Wed, 22 Oct 2008 16:26:37 +0300, Joey <Joey@web56.net> wrote:
> 
> > What significance do the numbers between the brackets have?
> >
> > print ":INPUT ACCEPT [6180932:1244590784]\n";
> > print ":OUTPUT ACCEPT [6574901:1313953477]\n";
> >
> > I got those from executing a iptables-save so I can see what format I
> > needed
> > to match in generating my own save file from our IP DB.
> >
> >
> > Thanks!
> >
> > Joey
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html