From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1FyANs-0004Fp-Ux for garchives@archives.gentoo.org; Wed, 05 Jul 2006 16:37:53 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k65GXLVq007539; Wed, 5 Jul 2006 16:33:21 GMT Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k65GMpKd027794 for ; Wed, 5 Jul 2006 16:22:51 GMT Received: by ug-out-1314.google.com with SMTP id y2so1663890uge for ; Wed, 05 Jul 2006 09:22:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=s3ox+huEUkYHaCSBYML7PZa4FwveFngfrbMu8IKgHSMq6kEjutx8B7bV+iZZeaC7hpVxOPyWtJ0spCCaoppwAUWb37l0GZs7knae07t/V+9UFBwVPxmKwD7dps5qSoydLP6gH4PKu1e3eE+6BQ2nVOhMXntee6djq7viOY2mh0c= Received: by 10.78.140.17 with SMTP id n17mr2361780hud; Wed, 05 Jul 2006 09:22:50 -0700 (PDT) Received: by 10.78.20.11 with HTTP; Wed, 5 Jul 2006 09:22:50 -0700 (PDT) Message-ID: <7573e9640607050922ra5f37a4j683a73e8f7e04d3a@mail.gmail.com> Date: Wed, 5 Jul 2006 09:22:50 -0700 From: "Richard Fish" Sender: richard.j.fish@gmail.com To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: iptables wiki In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44AB8E7E.1090005@ilievnet.com> X-Google-Sender-Auth: 8f06d57bc87de6dd X-Archives-Salt: b6d9c2e9-f26f-473d-9031-efd655ee9592 X-Archives-Hash: dddef68005ada2298070f91abf28426e On 7/5/06, James wrote: > > 1) /etc/init.d/iptables save > This will work if one loads the rules manually at the command line. > Where do I put a scirpt of iptables command, so it is read the > rule sets generated and then saved into /var/lib/iptables/rules-save? Anywhere you like. All that matters is that you run it so your iptables are setup like you want, then run "/etc/init.d/iptables save" followed by "rc-update -a iptables default". > After that if I want to modify the rules, I edit my script, run > my script manually, then issue: > "iptables-save > /var/lib/iptables/rules-save" No, "/etc/init.d/iptables save" is the better choice. The file might move, or the format change, or something similar. > If I want to then test the rules, without rebooting, I issue: > > /etc/init.d/iptables stop > /etc/init.d/iptables start Not necessary. After running your script, the tables will be setup according to the script, and you can test away. You probably want your script to have the following at the top: iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP This flushes all rules, and resets the default policies, so that only the rules that you specify later take effect. Very useful for clearing out old artifacts of stuff... > What I'm looking for is the series of steps to > 1. Where best to locate my script? Mine is in ~/bin/. > 2. Insert (new) commands into the script. $EDITOR > 3. convert new scrited commands into rulesets > 4. Load rulesets into the /var/lib/iptables/rules-save Don't do this. Run your script, and let "/etc/init.d/iptables save" do the work for you. > 5. Restart the iptables/netfilter firewall If you flush/reset like I describe above, this is not necessary, just run your script. > If what I work above [A] is correct then I just need some suggestions > as to where the scipt should be located under /etc/, for > consistentcy with gentoo mindsets. You can put it anywhere you like. I prefer ~/bin/ since there I know it is *not* something that Gentoo created. -Richard -- gentoo-user@gentoo.org mailing list