From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MRmK9-0001t6-Ht for garchives@archives.gentoo.org; Fri, 17 Jul 2009 12:14:02 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D1117E0375; Fri, 17 Jul 2009 12:13:59 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 8F31BE0375 for ; Fri, 17 Jul 2009 12:13:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 18F8065F58 for ; Fri, 17 Jul 2009 12:13:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 required=5.5 tests=[AWL=0.623, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8BnJXWSRPT6G for ; Fri, 17 Jul 2009 12:13:52 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 2282C667EB for ; Fri, 17 Jul 2009 12:13:50 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1MRmJv-0005TC-2t for gentoo-user@gentoo.org; Fri, 17 Jul 2009 12:13:47 +0000 Received: from buffer.net ([24.73.161.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Jul 2009 12:13:47 +0000 Received: from wireless by buffer.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Jul 2009 12:13:47 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Re: iptables Date: Fri, 17 Jul 2009 12:13:37 +0000 (UTC) Message-ID: References: <8BEADC6C3BD744758ED6C9B40D608F15@hades> <93d30e950907160141n3a614e08md1b7672541e2a718@mail.gmail.com> <93d30e950907160143v5cddb921y4a661a0151ed912f@mail.gmail.com> <60a795cd0907160642x492ef9f3i49bd317b140a38a0@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: main.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090708 SeaMonkey/1.1.17) Sender: news X-Archives-Salt: 0f5d85a0-9322-4a16-b46e-e5e45d7afe5e X-Archives-Hash: 0aca4e2271d418506c0c01fd9a5b160f Alejandro gmail.com> writes: > I use APF, for all my desktop/servers with debian and gentoo, > is quite easy and works great. In 10' you have iptables running. Interesting. I usually hack my rule by hand, as I like to learn as much about iptables and the ever changing kernel interaction issues. Particularly, I'm experimenting with embedded and very light weight fire hardware (586 processors). Do you think APF will allow me to use it's front end (gui) to build the raw iptable files and then go into them manually, make edits and changes, and load them manually onto a variety of light_weight linux servers and firewall. Most of the frontend (gui) systems to iptables, do not simple write out, either the rules one needs. /var/lib/iptables/rules-save file contains a form of the rules or better yet, a front end that just generate raw rules in iptable format that I can read and add to my /etc script? var/lib/iptables/rules-save first few rules looks like this: :INPUT DROP [44:2925] :FORWARD ACCEPT [117727109:41814106432] :OUTPUT ACCEPT [75971:11854908] [8913:443731] -A INPUT -p tcp -m tcp --dport 445 -j DROP [2629:133240] -A INPUT -p tcp -m tcp --dport 139 -j DROP [9578:481396] -A INPUT -p tcp -m tcp --dport 135 -j DROP [1174:49600] -A INPUT -p tcp -m tcp --dport 1433 -j DROP [23160:1195298] -A INPUT -p tcp -m tcp --dport 25 -j DROP [198:9532] -A INPUT -p tcp -m tcp --dport 4899 -j DROP [160198:18547126] -A INPUT -i ! eth2 -j ACCEPT The corresponding rules from my script look like this: iptables="/sbin/iptables" iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -X $iptables --flush $iptables -t nat --flush $iptables -t mangle --flush $iptables -X $iptables -t nat -X $iptables -t mangle -X $iptables --policy INPUT ACCEPT $iptables --policy OUTPUT ACCEPT $iptables --policy FORWARD ACCEPT $iptables -t nat --policy PREROUTING ACCEPT $iptables -t nat --policy OUTPUT ACCEPT $iptables -t nat --policy POSTROUTING ACCEPT $iptables -t mangle --policy PREROUTING ACCEPT $iptables -t mangle --policy OUTPUT ACCEPT Im looking for a gui front end to iptables that generates the rules in a format you can put directly into a script. Does ADF do this? Any other package? James