script v. ruleset (was: Re: Help for this project)
rob0 at gmx.co.uk
Fri Nov 18 17:03:00 CET 2005
On Tuesday 2005-November-15 00:26, Rob Sterenborg wrote:
> > And to go a bit further, I should say that I am moving away from
> > scripts, in favour of iptables-save(8)/iptables-restore(8)
> > rulesets. The initial ruleset can be developed by means of a script
> > or editor, and I find that the rules files are much easier to
> > maintain.
> I think that's a matter of opinion.
Of course it is, and is stated as such. It is an opinion which grew
after writing many scripts. I once had, and at some sites still do
have, monster scripts that make the OP's effort look trivial.
Functions, nested loops, arrays, even nested arrays which are
supposedly not possible in bash! (I cheated, using alternate $IFS on
the internal arrays, the ones which were contained in other arrays.)
I'm pretty good with bash. I am on a first-name basis with the Advanced
Bash Scripting Guide, and even with the dreaded "man bash". :) I paid
my shell scripting dues, so to speak, and I did it in making firewalls.
I feel pretty confident that my latest firewalls, trivial to maintain
and to adjust using rules files, would be a nightmare to script. I have
complex port forwards which are allowed from some addresses but not
from others, and some which differ per external interface (at sites
with multiple external interfaces.) I have conditional branching
through multiple user chains. Two sites I can think of have even have
alternate SNAT'ing per internal address. I have several sites with
transparent proxying rules, HTTP and DNS.
I found that when I needed to add or adjust one rule I often had to dig
in the depths of the script code, and the digging could break things.
My dream of having one simple configuration file and never touching the
script internals never quite came to pass.
In the early days, I, like many who post here for help, did not fully
understand the distinction between filter INPUT and FORWARD. My early
scripts jumped to the same Allow chain for both INPUT and FORWARD,
although some of those rules belonged exclusively in one or the other.
When I come across these I am converting them to rulesets. It's simple
to do so in $EDITOR. I make separate AllowIn and AllowFwd chains and
append the "In" or "Fwd" string as needed. Spending ten minutes in
$EDITOR gives me a tighter, better firewall, that would have taken
hours to script (and to debug!)
> Personally I prefer scripts because I can put remarks and empty
> lines in them, grouping lines together that belong to each other
> so I know what I did 1 year (or so) ago, without having to read
> over the complete script/ruleset.
Red herring. No, iptables-save(8) won't preserve comments unless using
"--comment" in your rules, but you can certainly add comments to your
rules -- iptables-restore(8) is fine with that. I didn't try blank
lines, but I bet those work too.
The only grouping requirement I know is that you must keep each table's
rules together between the *table_name and COMMIT lines. Perhaps you
could add multiple sections for the same table. Again, I have not
tried. Nor would I wish to try!
> But everyone should do what (s)he wants in that matter ; the output
> of iptables-save is practically in script form so it's not that I
> can't read it.
The thing that appeals to me is that the output is linear per chain,
just like netfilter itself. You can see right away what is being done
in any particular chain.
I am not trying to convince you; I am only trying to explain where I
came from and why I went where I did. With simple firewalls, simple
scripts can surely be a viable option.
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter