[Cialug] IPTables
Jonathan Bailey
jbailey at co.marshall.ia.us
Fri Sep 8 08:19:02 CDT 2006
The only issue with querying line numbers is that the numbers change with
each rule you delete. That could also be a disaster... I found a hack around
the issue though. I create a chain with all of the specific rules for the
VPN client. I then add a forward rule to send all traffic to that chain.
When the VPN is being taken down and I only get the IP to remove, I
"iptables -L FORWARD | grep $ip | awk '{print $1}'" for the CN. I delete the
forward rule first (since I know the CN/chain name and the IP it's for). I
then flush the chain for the rule then delete. This seems to be working
well...
Jon
-----Original Message-----
From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On Behalf
Of kristau
Sent: Thursday, September 07, 2006 11:36 PM
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] IPTables
Tony is right. This behaviour of iptables is by design, to protect you from
yourself. That said, you could do an end-run around it by writing a script
which queries the output from 'iptables -L', indexes which lines have the
wildcard in them, then loop through (from highest to lowest, of course) with
a command like 'iptables -D INPUT $line_number'.
A much safer approach would be to keep track of each add in a look up table
so you can delete it later. I'm not too familiar with openvpn and
learn-address, though, so this might not be easy to do.
On 9/6/06, tony geerts <thegreatland at yahoo.com> wrote:
> Your -D (delete) does not match a particular rule. You must be
> specific. Iptables will not do wildcard matching. That would be
> "dangerous."
>
>
> -A, --append chain rule-specification
> Append one or more rules to the end of the selected chain. When the
> source and/or destination names resolve to more than one address, a
> rule will be added for each possible address combination.
>
> -D, --delete chain rule-specification
> -D, --delete chain rulenum
> Delete one or more rules from the selected chain.
> There are two versions of this command: the rule can be specified as a
> number in the chain (starting at 1 for the first rule) or a rule to
> match.
>
> --
> tony geerts
>
> --- jcbailey at code0.net wrote:
>
> > Working on a firewall script for iptables and openvpn. I'm using a
> > script with learn-address to add/delete rules as needed.
> > The only issue is that I
> > can't seem to delete a rule via wildcard (as in all input rules from
> > the source of 10.8.0.6). Any way to do this with iptables, or is
> > that a lost cause? Here's what the script is running for the
> > add/delete (what I'd
> > like..)
> >
> > Add:
> > iptables -A INPUT -s 10.8.0.6 -d 192.168.192.9 -p udp --dport 53 -j
> > ACCEPT iptables -A INPUT -s 10.8.0.6 -d 192.168.192.9 -p tcp --dport
> > 53 -j ACCEPT iptables -A INPUT -s 10.8.0.6 -d 10.121.9.121 -p tcp
> > --dport 5900 -j ACCEPT iptables -A INPUT -s 10.8.0.6 -j REJECT
> >
> > Delete:
> > iptables -D INPUT -s 10.8.0.6
> >
> >
> > Jon
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
--
Tired programmer
Coding late into the night
The core dump follows
My GNUPG public key is available at http://www.kristau.net/public_key.asc
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list