[SLUG] Seeking iptables interface-specific script
Is there a canonical way of writing interface specific iptables scripts? At the moment, I'm trying to write a couple of scripts with this behaviour to put in /etc/network/if[action].d/: - when lo comes up, add an iptables rule - when lo comes down, delete that same iptables rule Other rules, ideally, would not be touched by that. The trouble is that iptables doesn't seem to have great support for this automated rule-specific kind of operation. Individual rules can be deleted with -D, but only if you know the rule number which, as far as I can tell, you work out by running 'iptables -L' and counting the rules from the top of the chain. So are people doing this kind of interface specific iptables rules, and if so, how are you doing it? Is there a blessed way, or just a bunch of ways? -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Seeking iptables interface-specific script
This one time, at band camp, Mary Gardiner wrote:
Is there a canonical way of writing interface specific iptables scripts?
At the moment, I'm trying to write a couple of scripts with this
behaviour to put in /etc/network/if[action].d/:
- when lo comes up, add an iptables rule
- when lo comes down, delete that same iptables rule
Other rules, ideally, would not be touched by that.
The trouble is that iptables doesn't seem to have great support for this
automated rule-specific kind of operation. Individual rules can be
deleted with -D, but only if you know the rule number which, as far as I
can tell, you work out by running 'iptables -L' and counting the rules
from the top of the chain.
So are people doing this kind of interface specific iptables rules, and
if so, how are you doing it? Is there a blessed way, or just a bunch of
ways?
I took over maintainership of a tool called filtergen some years back, which
we use at Anchor for all firewall maintenance, and I can see a way to use it
to do what you want.
I'd have the up script copy the filter fragment into an include directory,
then regenerate the filter, and in the down script delete the fragment and
regenerate, i.e.:
/etc/filtergen/rules.filter:
input eth0 {
include /etc/filtergen/input.d/
};
/etc/filtergen/input.d:
some_fragment (symlink to ../fragment.d/some_fragment)
/etc/filtergen/fragment.d:
some_fragment:
port 22 accept;
Does that make sense? :)
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Seeking iptables interface-specific script
On Wed, Aug 23, 2006 at 11:51:23 +1000, Mary Gardiner wrote: deleted with -D, but only if you know the rule number which, as far as I can tell, you work out by running 'iptables -L' and counting the rules from the top of the chain. With '--line-numbers' you don't have to count :-) So are people doing this kind of interface specific iptables rules, and if so, how are you doing it? Is there a blessed way, or just a bunch of ways? I list the rules look for the one I want, then delete it by number, but I've only (so far) needed to do it in one script on one host. You may be able put the rule into a separate user-defined chain, then simply flush the chain to delete it (iptables -F chain). Cheers, John -- ... every credible survey which has ever been conducted has concluded that filtering software is to Internet users what meat-mincers are to cows ... -- Mark Newton -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Seeking iptables interface-specific script
On Wed, 2006-08-23 at 11:51 +1000, Mary Gardiner wrote: Is there a canonical way of writing interface specific iptables scripts? At the moment, I'm trying to write a couple of scripts with this behaviour to put in /etc/network/if[action].d/: - when lo comes up, add an iptables rule - when lo comes down, delete that same iptables rule Other rules, ideally, would not be touched by that. Brainstorming follows. Create a new chain, say lo-rules, with a default policy of RETURN. Jump to it at the appropriate place in your firewall script. When lo comes up, add your iptables rule to the lo-rules chain. When lo goes down, flush the lo-rules chain. -- Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Seeking iptables interface-specific script
On Wed, Aug 23, 2006 at 11:51:23AM +1000, Mary Gardiner wrote: Is there a canonical way of writing interface specific iptables scripts? At the moment, I'm trying to write a couple of scripts with this behaviour to put in /etc/network/if[action].d/: - when lo comes up, add an iptables rule - when lo comes down, delete that same iptables rule Other rules, ideally, would not be touched by that. The trouble is that iptables doesn't seem to have great support for this automated rule-specific kind of operation. Individual rules can be deleted with -D, but only if you know the rule number which, as far as I can tell, you work out by running 'iptables -L' and counting the rules from the top of the chain. I had something similiar to this, I kept a directory of all the current iptables rules and then converted into input for iptables-save iptables-restore, which batch loads the tables (hence much faster than flushing and readding your rules one by one), this gets rid of the need to delete specific rows. I believe also that the batch load is atomic! Alex So are people doing this kind of interface specific iptables rules, and if so, how are you doing it? Is there a blessed way, or just a bunch of ways? -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
