# Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005
*nat
:PREROUTING ACCEPT [34942:3100331]
:POSTROUTING ACCEPT [106864:7597940]
:OUTPUT ACCEPT [106858:7597722]
:net_dnat - [0:0]
:w1ad_masq - [0:0]
-A PREROUTING -i w1ad -j net_dnat
-A POSTROUTING -o w1ad -j w1ad_masq
-A net_dnat -p udp -m multiport --dports
What is the "[34942:3100331]" and "[106864:7597940]" references above?
Without specifying options to iptables-save, it includes the counters in the
format [packet-counter:byte-counter]. I don't use the counters myself, so I
don't really know for sure what purpose they serve (I'm sure the doco could
shed some light on it). My guess is that they are used for either QOS or
throttling or something.
These are all valid rules and are constructed by shorewall.
Would they be
the same if I hand-coded them? Absolutely not. I wouldn't
have so many
custom chains and would probably reorder the rules to give
priorities to
specific services.
And, I would argue that whilst these rules are valid and do
perform the
firewall chores that I want/need, the format of the rules
would leave a lot
to be desired to try to maintain manually via the command line.
If I understand this right: Shorewall, firehol, fwbuilder, etc.,
'just-works', but it kludges the iptables? Some of these 'helpers' may
also require you to learn some additional scripting format other than
the conventional iptables.
I don't think that 'kludges' is the right word for it.
When hand-coding iptables scripts, it makes sense to create custom chains to
organize your iptables script somewhat. Shorewall (and the others although
I'm not familiar with their direct interactions with iptables) does this as
well. The difficulty is that shorewall is capable of handling so many
different configurations. The various custom chains that it creates are
targeted towards someone that's using all of the various parts of shorewall;
when you scale back to a limited setup with a small set of logical rules,
shorewall still handles it easily but constructs all of the custom chains
and interlinkings that would be used in a more complex setup.
Which is why the iptables-save output I posted is a heck of a lot bigger
than what my logical set of rules contains.
I guess that's similar to using some HTML
WYSIWYG instead of hand coding it yourself.
That's a very good analogy, and more apropos to the actual output of
shorewall et. al. Although the output of the tool is functionaly similar to
what you would do by hand, it is typically more complicated and not close to
what you would have done hand-coding it.
--
gentoo-user@gentoo.org mailing list
