Hello,
I am not to worried about speed as so much the administrative headache. You should try breaking your rules up, for example I have done the following:
rc.firewall - loads standard / global options (ip_forward, sets up user chains,..) - executes all other files.
We have a number of MAT addresses on our firewall - so each interface has it's own file and each MAT address has it's own file as well.
Also each MAT address and interface have it's own user defined chain. From my perspective this provides the best efficient for the firewall because a packet gets passed to only 1 or 2 user chains and is only compared with rules that need to be applied.
Also if some one is making changes to a MAT address and they accidently break something, when they execute the file for updates to take affect they are only affecting that user defined chain (unless they really don't following the instructions). So the odds of affecting other network traffic go down.
Michael.
Deepak Seshadri wrote:
Hello everybody,
Kenneth: Thank you very much for the reply. I'll look into this option.
Does anybody have any other suggestion? How does everyone load their rule-set?
My original mail: "So far I have been writing all the iptables commands in a file & ran it in a terminal (bash filename). Then I do the "service iptables save" to save & load the configuration during boot-up. Pretty soon the configuration file is going to have around 800 commands & this file is modified quite often. So for the changes to reflect in run-time I do a "bash <script-file>". Somewhere I read that loading that many commands using "bash <script-file>" is not recommended (Is this true?). So I started searching in Google for other alternatives. I came across the following:
- Use rc.firewall (I don't know if its in /etc or /etc/init.d or what) - Use /etc/firewall.conf - Use /etc/init.d/firewall
Could someone tell me which file to use? In Fedora core 2 I found only /etc/rc.d/init.d/iptables. Which way would be easy to load a huge script that would be modified quite often?
OS specs: Fedora Core 2 Kernel 2.6.8.1 Iptables 1.2.11"
Any help will be greatly appreciated. Thank you,
Deepak Seshadri
-----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Kenneth Porter Sent: Monday, October 25, 2004 5:29 PM To: 'Netfilter Group' Subject: Re: iptables script file
Which way would be easy to load a huge script that would be modified
quite
often?
iptables-restore
The save format is a little weird at first but it's not too hard to see how it matches your iptables commands. I now modify /etc/sysconfig/iptables directly. (This is the save file used on Red Hat systems to reload the firewall at boot time.)
If I understand things correctly, iptables-restore makes a single kernel call with only one lock, so it's very efficient at loading the tables into the kernel.
Change your script to write your rules into the save format and then invoke iptables-restore to load it. This is actually pretty simple, as most of your iptables commands will be replaced with "echo ${RULEBODY} > ${SAVEFILE}" (where RULEBODY is the parameters to your old iptables command).
-- Michael Gale Lan Administrator Utilitran Corp.
The best part is when the people who know the least are the ones ranting and raving.
