incremental iptables - Linux

This is a discussion on incremental iptables - Linux ; Hallo Group, For my firewall i use a script of lots of iptables commands. When I run it, my "firewall" is set up. Are there any known techniques to incrementally activate or disactivate some rule sections , without having to ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: incremental iptables

  1. incremental iptables

    Hallo Group,

    For my firewall i use a script of lots of iptables commands.
    When I run it, my "firewall" is set up.
    Are there any known techniques to incrementally activate or disactivate
    some rule sections , without having to reload everyting

    ps: assuming that the order of the rules is not really important because
    they dont intersect

  2. Re: incremental iptables

    On May 23, 4:38 pm, Guenther Sohler wrote:
    > Hallo Group,
    >
    > For my firewall i use a script of lots of iptables commands.
    > When I run it, my "firewall" is set up.
    > Are there any known techniques to incrementally activate or disactivate
    > some rule sections , without having to reload everyting
    >
    > ps: assuming that the order of the rules is not really important because
    > they dont intersect


    Obvious one is to have multiple scripts, each with a rule set. Be
    carefull only to have the flush commands in the initial script.

  3. Re: incremental iptables

    On Fri, 23 May 2008 00:32:59 -0700, Janaka wrote:

    > On May 23, 4:38 pm, Guenther Sohler wrote:
    >> Hallo Group,
    >>
    >> For my firewall i use a script of lots of iptables commands.
    >> When I run it, my "firewall" is set up.
    >> Are there any known techniques to incrementally activate or disactivate
    >> some rule sections , without having to reload everyting
    >>
    >> ps: assuming that the order of the rules is not really important because
    >> they dont intersect

    >
    > Obvious one is to have multiple scripts, each with a rule set. Be
    > carefull only to have the flush commands in the initial script.


    yes, but in your proposal you would conditionally load script sets.
    But this would still imply that you flush all rules in the init script
    and conditionally load some iptables. This is not incremental.

    The problem, if my wife is using the sipphone and i turn off the ftp
    rules, she won't hear anything until the sip rules are set up again.

    Isn't it possible to tag some iptable rules with a label, and
    remove/add/replace them 'by name' ???



  4. Re: incremental iptables

    Guenther Sohler writes:
    > On Fri, 23 May 2008 00:32:59 -0700, Janaka wrote:
    >
    >> On May 23, 4:38 pm, Guenther Sohler wrote:
    >>> Hallo Group,
    >>>
    >>> For my firewall i use a script of lots of iptables commands.
    >>> When I run it, my "firewall" is set up.
    >>> Are there any known techniques to incrementally activate or disactivate
    >>> some rule sections , without having to reload everyting
    >>>
    >>> ps: assuming that the order of the rules is not really important because
    >>> they dont intersect

    >>
    >> Obvious one is to have multiple scripts, each with a rule set. Be
    >> carefull only to have the flush commands in the initial script.

    >
    > yes, but in your proposal you would conditionally load script sets.
    > But this would still imply that you flush all rules in the init script
    > and conditionally load some iptables. This is not incremental.
    >
    > The problem, if my wife is using the sipphone and i turn off the ftp
    > rules, she won't hear anything until the sip rules are set up again.
    >
    > Isn't it possible to tag some iptable rules with a label, and
    > remove/add/replace them 'by name' ???


    You can replace/ insert or delete rules by index (on a particular
    chain) and you can create custom chains. The custom chains can be
    hooked into the 'main' rulesets (or into each other) at arbitrary
    places and they can (of course) be flushed etc independently of each
    other.

    But this isn exactly a 'Linux system development' topic the
    information can easily be gathered from the iptables-manpage, too.

  5. Re: incremental iptables

    On Fri, 23 May 2008 12:28:48 +0200, Rainer Weikusat wrote:

    > But this isn exactly a 'Linux system development' topic the
    > information can easily be gathered from the iptables-manpage, too.


    Problem solved.

    EG my phone iptables go to a chained called "SIP" instead of accept.
    Its very easy to rebuild the SIP chain with either "ACCEPT" or "DROP"
    from scratch and its still incremental in the total view




+ Reply to Thread