> On 2012-08-24 19:46, Jan Engelhardt wrote: > > On Friday 2012-08-24 23:12, Arturo Borrero wrote: > > >>You usally set your ruleset in this way: > >> > >>$IPT -A INPUT -i $IF -s $INTERNET -d $MYSERVER -p tcp --sport 1024: > >> --dport > >>$SSH_PORT -j ACCEPT > > > > If you begin with something like this, no wonder it's all going slow, > > because you are needlessy reloading all the damn rules. > > That's why smart people use iptables-restore. > > > > Oh, only about ~2000 times faster in my tests :p > http://www.slideshare.net/slideshow/embed_code/14051936?startSlide=22 Well, but the problem of writting two different rulesets with the same info is still unsolved. And If you permit my point of view, I think it's harder to solve using iptables-restore than using bash and iptables/ip6tables (because variables, additional flexibility of bash, etc...) Maybe the point would be to generate with Bash a iptables-restore ruleset to load to kernel, but not load the ruleset directly from Bash... -- Arturo Borrero González Departamento de Seguridad Informática, @NIS_CICA (twitter) Centro Informatico Cientifico de Andalucia (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
