>>> ports etc but want to be able to use iptable's state module too and would
>>> like to use a script that's been proved through use.
How have you added the rules that you already use?
ip_conntrack state matching rules aren't particularly complicated
Most of those rules look a bit like the following
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- This is a general "allow stuff in if it's part of an existing or
related connection" rule (there are other options, like NEW or INVALID)
- it would be the first rule (because of the -I)
These rules can have protocol and port specifications, too.
It doesn't sound like you have very complex requirements.
My experience with netfilter frontends is they tend to err on the side
of complexity, certainly in terms of the rules they generate, with
multiple custom chains. I like my rules to be readable.
I also find that managing the rules with an editor allows me to add
comments where necessary (and/or use a VCS to permit rollback)
Yes, I realise this wasn't exactly what you asked for, but it Works For
Me (tm)
>>> Thanks in advance for any help/ideas.
>>>
>>> Barry
Regards,
Stuart
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.
From barry.watson23@??? Wed Oct 17 09:19:13 2012
Received: from mail-ob0-f176.google.com ([209.85.214.176])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
(Exim 4.72) (envelope-from <barry.watson23@???>)
id 1TOPmS-00019H-DQ
for users@???; Wed, 17 Oct 2012 09:19:13 +0000
Received: by mail-ob0-f176.google.com with SMTP id x4so9282513obh.21
for <users@???>; Wed, 17 Oct 2012 02:19:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type; bh=J9orSoRzpKcqkxVKvQdixqxsrsj2KmkPDy5fwlUs2Iw=;
b=JcaVlL3yVkSEK6ZM/NDprFNpy9G6A+6yBi0E1m+s8NWHhlK+s0qoW9H5fcgW46g6xA
J2brTbjSsfSh3T0ShnBrnaZ+CnJ7vbMq1ZH8sHqzmyVLh73Vu5jrrNy88s0B/gmtZ5ii
FLznnlwh4KETCSVSSFoMmCm1Gwvl9sSN9veO0TEo7/txjrKaV0QapEDjmvVxl01iMi5I
JoxIHlacHRxe/APtsA6AaV+LQZP/kC5BTw7RtjwkAXoZns72DLIOUEUHZ1nsxMeIoDOd
4OQ7+4BEGyu32lpSMiTkDS3omgRnby2dkkfafxLcWSLISSSvLN1nLPtMG654VO/vZRb6
bQqg==
MIME-Version: 1.0
Received: by 10.60.169.137 with SMTP id ae9mr14735184oec.91.1350465545862;
Wed, 17 Oct 2012 02:19:05 -0700 (PDT)
Received: by 10.182.128.101 with HTTP; Wed, 17 Oct 2012 02:19:05 -0700 (PDT)
In-Reply-To: <507E6A95.9000004@???>
References: <CA+q7HTwsEfGBwXVW9xANKWXSW8DB2uao+pjc5LekZC5gzYvP-w@???>
<507DAFA8.4080501@???>
<CAHKeXQ3sCrXvqN=dZmLT6ORGdfD8xH-mjLtCjqcSiZrqA1TgZA@???>
<507E6A95.9000004@???>
Date: Wed, 17 Oct 2012 10:19:05 +0100
Message-ID: <CA+q7HTyGDdSMR9a1y2DjvU3fnB6z6FX1omJno9b5wtz3Ss+A-A@???>
From: Barry Watson <barry.watson23@???>
To: users@???
Content-Type: multipart/alternative; boundary=bcaec554091c247eef04cc3dc338
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Wed,
17 Oct 2012 09:19:12 +0000
X-SA-Exim-Connect-IP: 209.85.214.176
X-SA-Exim-Mail-From: barry.watson23@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd1.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS shortcircuit=no
autolearn=disabled version=3.3.1
X-Spam-Report: * -0.0 SPF_PASS SPF: sender matches SPF record
* -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
low * trust
* [209.85.214.176 listed in list.dnswl.org]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's * domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] iptables front-end?
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.co
