iptables

mbjr · Posted: Mon Mar 22, 2004 1:54 pm Post subject: iptables

Hi,

I'm just a little confused about why using iptables scripts when I can edit /var/lib/rules-save and can use interfaces instead of ips. So why?
_________________
mb

adaptr · Posted: Mon Mar 22, 2004 3:06 pm Post subject:

I'm a little confused by what you mean to say here - both interfaces and ip addresses are possible filter sources for iptables.

So - what ?
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen

mbjr · Posted: Mon Mar 22, 2004 3:43 pm Post subject:

What I'm talking about that if you look around you see all iptables shell scripts. What I mean to do is to create the rules file manually

So it is

$ipt -A INPUT ... from a script VS [0:0] -A INPUT ... from rules-save
_________________
mb

adaptr · Posted: Tue Mar 23, 2004 6:06 pm Post subject:

Yes.... and I'm still confused what exactly you mean.

Yes, you can write iptables rules manually.
Yes, you can use a script.
Yes, you can even use a full interface to it like shorewall
Or you can use a firewall distro like ipcop.

So ?
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen

mbjr · Posted: Tue Mar 23, 2004 9:20 pm Post subject:

My question is: what is the difference between generating iptables rules with a script and writing the rules manually? What can a script provide that I can't do manually? Why does scripts exist if I can write all my rules by hand?
_________________
mb

Peracles · Posted: Tue Mar 23, 2004 9:25 pm Post subject:

mbjr · Posted: Wed Mar 24, 2004 12:20 pm Post subject:

I think ppl who uses firewalls are having more than 25 rules to create, but I don't think it's harder to write the iptables rules by hand than configuring X right :-)

but I'm sure it's much more complicated to write a script for that. I don't see the point.

If you have a dynamic IP, and you use a script which usually uses fix ips in the config geting the actual ip right from the iterface, and then you can play around start your script every time you have to restart your connection

And if you have a fix IP, than it really doesn't metter.

If there were script to made your work really easy with iptables, let's say you'd have arrays like:
nat_allowed="22,25,80,443"
than it'd be ok, but this:
$IPT -A INPUT ...something -j ACCEPT

is not the easy way :-)

It's almost that hard to understand that script like making the results by hand

So I just don't see the point :-/
_________________
mb

adaptr · Posted: Wed Mar 24, 2004 5:22 pm Post subject:

mbjr · Posted: Wed Mar 24, 2004 11:58 pm Post subject:

lol

great point. :-)

Thanks for the info guys.
_________________
mb