firewalld / iptables.service past F17

Reindl Harald h.reindl at thelounge.net
Tue Apr 17 20:40:23 UTC 2012 

Hi

one question before decisions are nailed down

http://fedoraproject.org/wiki/Features/firewalld-default

> An explicit transition is planned after Fedora 18 with dropping support for the
> static firewall with system-config-firewal/lokkit. A migration from the static
> firewall model will be needed then.

are there only the ui-interfaces meant or do someone
consider drop "iptbales.service" at all? if so please
re-consider this!

there are many configurations which are happy with the static
firewall s routers and (distributed) iptbales-scripts

no need, for a graphical UI only a shell-script finished with
/sbin/iptables-save > /etc/sysconfig/iptables does the whole
job as long "/etc/sysconfig/iptables" is load at boot-time
__________________

as example:

i have one big and distributed "iptables.sh" for more than 20
machines where global settings made for all machines and based
on $HOSTNAME incoming server-ports opend

maybe not everybody likes this model of a 50 KB script but it
works since years has a fine documentation and the flexibility
of a shell-script gives us options which can be hardly replaced
__________________

another example: software-router like this
only the snippet with the routing-part:

 echo "NAT Routing / Forwarding"
 echo "----------------------------------------------------------------------------------------"
 echo "Spoof-Protection"
 $IPTABLES -A INPUT  -i eth1 -s
$WAN_RHSOFT,$WAN_RHSOFT_BROADCAST,0.0.0.0/8,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,224.0.0.0/3,255.255.255.255
-j DROP
 $IPTABLES -A OUTPUT -o eth1 -s
$WAN_RHSOFT_BROADCAST,0.0.0.0/8,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,224.0.0.0/3,255.255.255.255 -j DROP
 echo "LAN:  $LAN_RHSOFT"
 $IPTABLES -A FORWARD -i eth1 -o br0 -d $LAN_RHSOFT -m state --state RELATED,ESTABLISHED -j ACCEPT
 $IPTABLES -A FORWARD -i br0 -o eth1 -s $LAN_RHSOFT -j ACCEPT
 $IPTABLES -A POSTROUTING -o eth1 -t nat -s $LAN_RHSOFT -j MASQUERADE
 echo "VPN:  $LAN_LOUNGE"
 $IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_LOUNGE -d $LAN_RHSOFT -j ACCEPT
 $IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_LOUNGE -j ACCEPT
 $IPTABLES -A POSTROUTING -o tap0 -t nat -s $LAN_RHSOFT -j MASQUERADE
 echo "VM:   $LAN_VMWARE"
 $IPTABLES -A FORWARD -i br0 -o vmnet8 -s $LAN_RHSOFT -d $LAN_VMWARE -j ACCEPT
 $IPTABLES -A FORWARD -i vmnet8 -o br0 -s $LAN_VMWARE -d $LAN_RHSOFT -j ACCEPT
 $IPTABLES -A POSTROUTING -o vmnet8 -t nat -s $LAN_RHSOFT -j MASQUERADE
 echo "VOIP: $LOUNGE_VOIP"
 $IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 5060 -j DNAT
--to-destination $RHSOFT_VOIP
 $IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 50600 -j DNAT
--to-destination $RHSOFT_HANDY
 echo "Drop all other forwardings"
 $IPTABLES -A FORWARD -j DROP
 echo "----------------------------------------------------------------------------------------"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120417/730c9231/attachment.sig>

More information about the devel mailing list