On Tue, Oct 8, 2013 at 8:12 PM, Dan Ritter <d...@randomstring.org> wrote: > On Tue, Oct 08, 2013 at 03:04:14PM -0700, james gray wrote:
>> working with the examples at >> >> https://wiki.debian.org/iptables >> >> -A INPUT -i lo -j ACCEPT This will do nothing unless you have a default DROP policy >> and follow procedure of >> >> iptables-restore < file-name >> >> >> i do receive a message "line failed" for that line as shown above. >> > Next, you'll need to copy the entirety of the grey area example > to a file, and use that file name in the iptables-restore. It's > a very specific format. > Very specific - I wrote a script to generate an iptables save file and saw that "line failed" message lots. Basically the format is: *chain :table [counter] -A rule COMMIT Any deviation from this format is an error (you can also have # comments btw). I assume you can use -I or -D or -R but I don't see much point (maybe you go into different 'zones' and then that might be cool to do). Generally, what you want to do is: iptables -F; iptables -X; iptables-restore < file > If you want to test individual rules, you could do this at the > command line: > > iptables -A INPUT -i lo -j ACCEPT Depending on where that line was put in the save file, that might not be acurate (though since this rule doesn't do anything, one could argue about the 'effect' it has at any point). However, assuming the rule needs to be placed somewhere in the middle, you want: iptables -nL --line-numbers And then: iptables -I INPUT <number> <rule> > > and then > > iptables -L > > to see if it took. > > There is nothing Debian-specific going on here. Nope - this is linux. A few notes: *I've seen some people (Ubuntu) naming their tables with all UPPERCASE letters - don't do this. You can clobber namespace (and maybe other issues?) and the only way to distinguish between internal jumps and tables is the case (LOG and MARK being a prime example and mangle has some cool jumps you can use and the ones you know of: ACCEPT, REJECT, DROP, DENY - and it's 0400 so I can't think of others right now). *iptables-restore makes one kernel call so is much better (read faster) than calling iptables tons of times. *these commands are actually links to xtables-multi: # xtables-multi ERROR: No valid subcommand given. Valid subcommands: * iptables * main4 * iptables-save * save4 * iptables-restore * restore4 * iptables-xml * xml * ip6tables * main6 * ip6tables-save * save6 * ip6tables-restore * restore6 (no idea why anyone would want to take a good thing and mess it with xml but it's there - though, if there's an xslt parser as a part of that there could be some real fun to be had there) And this stuff is fun, good luck in learning. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cah_obidd7pbxesm7bptmdnrfgde2w_e_gtrk3m24tdljbyt...@mail.gmail.com
