[capirca-dev] importing iptables policies from resultant .ipt file
19 views
Skip to first unread message
Kristian Erik Hermansen
Apr 26, 2010, 4:39:09 PM4/26/10
to capir...@googlegroups.com
So, I wasn't sure if this is known, but you can't currently use
iptables-restore to import the resultant .ipt file from the generator.
Can this be fixed? All that is required is to add two lines to the
output of the .ipt file.
After the ### comments, you merely need to include a line like this:
*filter
Then the definitions follow here...and then the following at the end
on the last line.
COMMIT
This will allow iptables-restore to work properly, unless I am missing
something entirely and this is already supported in capirca without
using "verbatim" :) Should look something like this at the end...
*filter
-A INPUT -s 1.2.3.4/32 -j ACCEPT
-A OUTPUT -s 7.8.9.10/32 -j ACCEPT
COMMIT
--
Kristian Erik Hermansen
--
Subscription settings: http://groups.google.com/group/capirca-dev/subscribe?hl=en
iptables-restore to import the resultant .ipt file from the generator.
Can this be fixed? All that is required is to add two lines to the
output of the .ipt file.
After the ### comments, you merely need to include a line like this:
*filter
Then the definitions follow here...and then the following at the end
on the last line.
COMMIT
This will allow iptables-restore to work properly, unless I am missing
something entirely and this is already supported in capirca without
using "verbatim" :) Should look something like this at the end...
*filter
-A INPUT -s 1.2.3.4/32 -j ACCEPT
-A OUTPUT -s 7.8.9.10/32 -j ACCEPT
COMMIT
--
Kristian Erik Hermansen
--
Subscription settings: http://groups.google.com/group/capirca-dev/subscribe?hl=en
Tony Watson
May 20, 2010, 6:46:52 PM5/20/10
to capir...@googlegroups.com
On Mon, Apr 26, 2010 at 2:39 PM, Kristian Erik Hermansen <kristian....@gmail.com> wrote:
So, I wasn't sure if this is known, but you can't currently use
iptables-restore to import the resultant .ipt file from the generator.
Can this be fixed? All that is required is to add two lines to the
output of the .ipt file.
After the ### comments, you merely need to include a line like this:
*filter
Then the definitions follow here...and then the following at the end
on the last line.
COMMIT
This will allow iptables-restore to work properly, unless I am missing
something entirely and this is already supported in capirca without
using "verbatim" :) Should look something like this at the end...
*filter
-A INPUT -s 1.2.3.4/32 -j ACCEPT
-A OUTPUT -s 7.8.9.10/32 -j ACCEPT
COMMIT
I've just submitted revision 97 which updates the iptables.py generator to create output that should be usable by 'iptables-restore'.
The change was a little more than suggested above, but seems to be working. Please give it a try and let me know if you have any issues. Thanks for the feedback.
Kristian Erik Hermansen
Jul 1, 2010, 6:00:30 AM7/1/10
to capir...@googlegroups.com
On Thu, May 20, 2010 at 3:46 PM, Tony Watson <wat...@google.com> wrote:
> I've just submitted revision 97 which updates the iptables.py generator to
> create output that should be usable by 'iptables-restore'.
> The change was a little more than suggested above, but seems to be working.
> Please give it a try and let me know if you have any issues. Thanks for
> the feedback.
> I've just submitted revision 97 which updates the iptables.py generator to
> create output that should be usable by 'iptables-restore'.
> The change was a little more than suggested above, but seems to be working.
> Please give it a try and let me know if you have any issues. Thanks for
> the feedback.
Works -- thank you...
--
Kristian Erik Hermansen
Reply all
Reply to author
Forward
0 new messages