Hi Costin,

See if iptables-persistent does what you need.

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

On Thu, May 12, 2011 at 23:21, Andrei Popescu <andreimpopescu@gmail.com> wrote:
> Hi Costin,
>
> See if iptables-persistent does what you need.

Thank you for pointing that package, Andrei. Unfortunately it does not
have the ability to save the current filter rules set, as Redhat's
does.

/etc/init.d/iptables-persistent save
Usage: /etc/init.d/iptables-persistent
{start|stop|force-stop|restart|force-reload|status}



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTim=sc2KjqWEePXvu0evM6bUj7OqTA@mail.gmail.com ">http://lists.debian.org/BANLkTim=sc2KjqWEePXvu0evM6bUj7OqTA@mail.gmail.com

On Fri, May 13, 2011 at 21:17, Costin <costinel@gmail.com> wrote:
> On Thu, May 12, 2011 at 23:21, Andrei Popescu <andreimpopescu@gmail.com> wrote:
>> Hi Costin,
>>
>> See if iptables-persistent does what you need.
>
> Thank you for pointing that package, Andrei. Unfortunately it does not
> have the ability to save the current filter rules set, as Redhat's
> does.
>
> /etc/init.d/iptables-persistent save
> Usage: /etc/init.d/iptables-persistent
> {start|stop|force-stop|restart|force-reload|status}
>

It is however a good starting point and I will file a bug against this
package for feature requests.



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTi=HuLAedmFYkDZ=W-jmUcUpduAGFQ@mail.gmail.com">http://lists.debian.org/BANLkTi=HuLAedmFYkDZ=W-jmUcUpduAGFQ@mail.gmail.com

Hi,

If I remember right such functions were removed from the iptables package for
various good reasons, for example to avoid that people lock themselves out.

Implementing something similar is pertty easy, add something like

pre-up iptables-restore < /etc/network/iptables.save || true

to the network config in your /etc/network/interfaces and at the point when you
have a well working iptables config use
iptables-save > /etc/network/iptables.save

I'd never recommend to let something save iptables rules automatically. Do it
manually when you;re sure that you have a working configuration.

Or even better, use ferm instead.

--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DCDA32D.2000007@bzed.de">http://lists.debian.org/4DCDA32D.2000007@bzed.de

On Sat, May 14, 2011 at 00:31, Bernd Zeimetz <bernd@bzed.de> wrote:
> Hi,
>
> If I remember right such functions were removed from the iptables package for
> various good reasons, for example to avoid that people lock themselves *out.
>
> Implementing something similar is pertty easy, add something like
>
> pre-up iptables-restore < /etc/network/iptables.save || true

I pretty much desire to avoid manually changing as less configuration
files as possible

>
> to the network config in your /etc/network/interfaces and at the point when you
> have a well working iptables config use
> iptables-save > /etc/network/iptables.save
>
> I'd never recommend to let something save iptables rules automatically. Do it
> manually when you;re sure that you have a working configuration.
>
I did not mention the word "automatically". I just want to have a
lazymans' way[1] to
- manually save rules
- automatically restore saved rules at boot
That's exactly what the iptables initscript does in redhat, for the
past 11 years (first appeared in "ipchains"
http://legacy.redhat.com/pub/redhat/linux/6.2/en/os/i386/RedHat/RPMS/ipchains-1.3.9-5.i386.rpm)

For that, Andrei's recommendation of iptables-persistent seems the
most tolerable answer, especially with Tollef's hint of saving - and I
hope the package maintainer will be kind enough to (accept a patch
for)/(develop) the initscript to parse a 'save' parameter)

> Or even better, use ferm instead.
Tried it but, uh, I'm enough confortable with iptables syntax

___
[1] type as less as possible, memorize as few as possible



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTinGkaTJzUc461ug36ZCPnqMumerBg@mail.gmail.com ">http://lists.debian.org/BANLkTinGkaTJzUc461ug36ZCPnqMumerBg@mail.gmail.com

> On Sat, May 14, 2011 at 00:31, Bernd Zeimetz <bernd@bzed.de> wrote:
> > to the network config in your /etc/network/interfaces and at the point when you
> > have a well working iptables config use
> > iptables-save > /etc/network/iptables.save

I go further: I run the iptables-save > /etc/network/iptables.rules
only once, to create a skeleton, and after that I treat that file as
primary source. I edit it as needed and "apply changes" with
iptables-restore, which atomically replaces the whole set. This seems
more natural to me than treating the live system as primary source and
"editing" that with iptables. (Text editors provide a much more
natural interface than iptables does, for operations like renaming
tables, reordering and grouping rules logically, and the like. Plus, I
can add arbitrary comments.)

I wouldn't mind a 'pre-up iptables-restore /etc/network/iptables.rules'
in the debian interfaces file by default ... but I don't expect it will
ever happen (lots of people don't work the way I work), so I add it
myself.
--
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110517153012.GE20906@p12n.org">http://lists.debian.org/20110517153012.GE20906@p12n.org