Re: [gentoo-user] scripted iptables-restore

[Michael Orlitzky <michael@orlitzky.com>]

On 10/13/2013 06:08 AM, Martin Vaeth wrote:
>>> 5. You can't script iptables-restore!
>>
>> Well, actually you can script iptables-restore.
> 
> For those who are interested:
> net-firewall/firewall-mv from the mv overlay
> (available over layman) now provides a separate
> firewall-scripted.sh
> which can be conveniently used for such scripting.
> 

You snipped the rest of my point =)

> You can write a bash script that writes an iptables-restore script to
> accomplish the same thing, but how much complexity are you willing to
> add for next to no benefit?

If you have a million rules and you need to wipe/reload them all
frequently you're probably doing something wrong to begin with.

With bash, you can leverage all of the features of bash that everybody
already knows. You can read files, call shell commands, pipe between
them, etc. You can write bash functions to avoid repetitive commands.
You can write inline comments to explain what the rules do.

Something like,

  # A function which sets up a static mapping between an external IP
  # address and an internal one.
  #
  # USAGE: static_nat <internal ip> <external ip>
  #
  function static_nat() {
      iptables -t nat -A PREROUTING  -d "${2}" -j DNAT --to "${1}"
      iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}"
  }

can make your iptables script a lot cleaner, and it conveys your intent
better when the rule is created:

  # Danny likes to torrent "linux isos" at work so he needs a public ip
  static_nat 192.168.1.x 1.2.3.x

I'm not saying you can't do all of this with iptables-restore, just that
you're punishing yourself for little benefit if you do.