On 28/08/2012 8:55 p.m., Arturo Borrero wrote:
On 2012-08-24 19:46, Jan Engelhardt wrote:
On Friday 2012-08-24 23:12, Arturo Borrero wrote:
You usally set your ruleset in this way:
$IPT -A INPUT -i $IF -s $INTERNET -d $MYSERVER -p tcp --sport 1024:
--dport
$SSH_PORT -j ACCEPT
If you begin with something like this, no wonder it's all going slow,
because you are needlessy reloading all the damn rules.
That's why smart people use iptables-restore.
Oh, only about ~2000 times faster in my tests :p
http://www.slideshare.net/slideshow/embed_code/14051936?startSlide=22
Well, but the problem of writting two different rulesets with the same
info is still unsolved.
And If you permit my point of view, I think it's harder to solve using
iptables-restore than using bash and iptables/ip6tables (because
variables, additional flexibility of bash, etc...)
Maybe the point would be to generate with Bash a iptables-restore
ruleset to load to kernel, but not load the ruleset directly from
Bash...
I use a wrapper generator called "ferm". It generates the
iptables/ip6tables once with a lot of flexibility, then uses
iptables-save/restore to operate the system.
AYJ
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
