From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DC3D91381F3 for ; Mon, 14 Oct 2013 05:54:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C6851E0A5E; Mon, 14 Oct 2013 05:54:34 +0000 (UTC) Received: from svr-us4.tirtonadi.com (svr-us4.tirtonadi.com [69.65.43.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C7C9AE09FD for ; Mon, 14 Oct 2013 05:54:33 +0000 (UTC) Received: from mail-ve0-f182.google.com ([209.85.128.182]:46332) by svr-us4.tirtonadi.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.80.1) (envelope-from ) id 1VVb6v-001XUt-MX for gentoo-user@lists.gentoo.org; Mon, 14 Oct 2013 12:54:33 +0700 Received: by mail-ve0-f182.google.com with SMTP id jx11so427806veb.27 for ; Sun, 13 Oct 2013 22:54:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=KqP5tym2K2je+J+P3eTzHjS3dWEKGE7eTDPnkglgyeY=; b=nKd+6L1yHyDlME+B52h9vnCINl5l0GtX8cMGemU/9M3vulUh9X8oPntxJqYZQXjqUS r4KG+BeSa7HMoStzQA18vXX28jfdkfKycEPKq8ojnDVEMvtTCAedeQj2kVLqpSCBGR2o CurjUrDN+boiRgbZ7xH3o5SW5gEuA6Xu/g5jrngn/j6v50+GmL6ASm9aAJtPsZD53b1J 8rgPWx6pa4yUOxANDSlbMWYUdpOWMS6PfNVNtZ1Ai8R8P++Nqj+eS5Bsaz/mu8MT0R6q wNwy9UDQSNNU8YoNEYk69t+gt4YkzefdzCouDpfowddftP760apHtLSjddpyki8eX/HK Fbsw== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.52.103.35 with SMTP id ft3mr28222530vdb.5.1381730070756; Sun, 13 Oct 2013 22:54:30 -0700 (PDT) Received: by 10.220.153.209 with HTTP; Sun, 13 Oct 2013 22:54:30 -0700 (PDT) Received: by 10.220.153.209 with HTTP; Sun, 13 Oct 2013 22:54:30 -0700 (PDT) In-Reply-To: <525AAADE.7040700@orlitzky.com> References: <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> <525AAADE.7040700@orlitzky.com> Date: Mon, 14 Oct 2013 12:54:30 +0700 Message-ID: Subject: Re: [gentoo-user] scripted iptables-restore From: Pandu Poluan To: gentoo-user@lists.gentoo.org Content-Type: multipart/alternative; boundary=e89a8ff24d9b0b071004e8ad1a7f X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - svr-us4.tirtonadi.com X-AntiAbuse: Original Domain - lists.gentoo.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - poluan.info X-Get-Message-Sender-Via: svr-us4.tirtonadi.com: authenticated_id: rileyer+pandu.poluan.info/only user confirmed/virtual account not confirmed X-Archives-Salt: 11878f1c-7119-4bdb-896e-e317a339d62c X-Archives-Hash: 401c28019294b42c4e69f527fb077c1c --e89a8ff24d9b0b071004e8ad1a7f Content-Type: text/plain; charset=UTF-8 On Oct 13, 2013 9:15 PM, "Michael Orlitzky" wrote: > > On 10/13/2013 06:08 AM, Martin Vaeth wrote: > >>> 5. You can't script iptables-restore! > >> > >> Well, actually you can script iptables-restore. > > > > For those who are interested: > > net-firewall/firewall-mv from the mv overlay > > (available over layman) now provides a separate > > firewall-scripted.sh > > which can be conveniently used for such scripting. > > > > You snipped the rest of my point =) > > > You can write a bash script that writes an iptables-restore script to > > accomplish the same thing, but how much complexity are you willing to > > add for next to no benefit? > > If you have a million rules and you need to wipe/reload them all > frequently you're probably doing something wrong to begin with. > > With bash, you can leverage all of the features of bash that everybody > already knows. You can read files, call shell commands, pipe between > them, etc. You can write bash functions to avoid repetitive commands. > You can write inline comments to explain what the rules do. > > Something like, > > # A function which sets up a static mapping between an external IP > # address and an internal one. > # > # USAGE: static_nat > # > function static_nat() { > iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" > iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" > } > > can make your iptables script a lot cleaner, and it conveys your intent > better when the rule is created: > > # Danny likes to torrent "linux isos" at work so he needs a public ip > static_nat 192.168.1.x 1.2.3.x > > I'm not saying you can't do all of this with iptables-restore, just that > you're punishing yourself for little benefit if you do. > One benefit of being familiar with iptables-save and iptables-restore : you can use iptables-apply. Might save your sanity if you fat-fingered your iptables rule. Just do `iptables-apply -t 180 <( preprocessor.sh new-rules.conf)`. Changes are done atomically. After 180 seconds, if you don't indicate to iptables-apply that the changes are proper, it atomically reverts the whole netfilter tables. bash scripts are powerful, but there might be unexpected cases that render the netfilter tables to be wildly different from what you actually want. The file format used by iptables-{save,restore,apply} is more like a domain-specific language; less chance of partial mistakes. And it's atomic: Either everything gets applied, or none gets applied (without clobbering existing in-effect rules). Rgds, -- --e89a8ff24d9b0b071004e8ad1a7f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Oct 13, 2013 9:15 PM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 10/13/2013 06:08 AM, Martin Vaeth wrote:
> >>> 5. You can't script iptables-restore!
> >>
> >> Well, actually you can script iptables-restore.
> >
> > For those who are interested:
> > net-firewall/firewall-mv from the mv overlay
> > (available over layman) now provides a separate
> > firewall-scripted.sh
> > which can be conveniently used for such scripting.
> >
>
> You snipped the rest of my point =3D)
>
> > You can write a bash script that writes an iptables-restore scrip= t to
> > accomplish the same thing, but how much complexity are you willin= g to
> > add for next to no benefit?
>
> If you have a million rules and you need to wipe/reload them all
> frequently you're probably doing something wrong to begin with. >
> With bash, you can leverage all of the features of bash that everybody=
> already knows. You can read files, call shell commands, pipe between > them, etc. You can write bash functions to avoid repetitive commands.<= br> > You can write inline comments to explain what the rules do.
>
> Something like,
>
> =C2=A0 # A function which sets up a static mapping between an external= IP
> =C2=A0 # address and an internal one.
> =C2=A0 #
> =C2=A0 # USAGE: static_nat <internal ip> <external ip>
> =C2=A0 #
> =C2=A0 function static_nat() {
> =C2=A0 =C2=A0 =C2=A0 iptables -t nat -A PREROUTING =C2=A0-d "${2}= " -j DNAT --to "${1}"
> =C2=A0 =C2=A0 =C2=A0 iptables -t nat -A POSTROUTING -s "${1}"= ; -j SNAT --to "${2}"
> =C2=A0 }
>
> can make your iptables script a lot cleaner, and it conveys your inten= t
> better when the rule is created:
>
> =C2=A0 # Danny likes to torrent "linux isos" at work so he n= eeds a public ip
> =C2=A0 static_nat 192.168.1.x 1.2.3.x
>
> I'm not saying you can't do all of this with iptables-restore,= just that
> you're punishing yourself for little benefit if you do.
>

One benefit of being familiar with iptables-save and iptable= s-restore : you can use iptables-apply.

Might save your sanity if you fat-fingered your iptables rul= e.

Just do `iptables-apply -t 180 <( preprocessor.sh new-rul= es.conf)`. Changes are done atomically. After 180 seconds, if you don't= indicate to iptables-apply that the changes are proper, it atomically reve= rts the whole netfilter tables.

bash scripts are powerful, but there might be unexpected cas= es that render the netfilter tables to be wildly different from what you ac= tually want.

The file format used by iptables-{save,restore,apply} is mor= e like a domain-specific language; less chance of partial mistakes. And it&= #39;s atomic: Either everything gets applied, or none gets applied (without= clobbering existing in-effect rules).

Rgds,
--

--e89a8ff24d9b0b071004e8ad1a7f--