

Finally iptables works the same on every Linux distro - telmich
http://www.nico.schottelius.org/blog/iptables-distribution-independent-powered-by-cdist-sponsored-by-panter/

======
ambrop7
For complex setups you sooner or later have to dynamically add/remove rules,
based on values only known at runtime (such as an IP address obtained by
DHCP). Then, a simple list of rules doesn't suffice, and some kind of
programming is needed.

To solve such problems elegantly I designed my "NCD programming language"
(link:
[https://code.google.com/p/badvpn/wiki/NCD](https://code.google.com/p/badvpn/wiki/NCD)
). The language has built-in backtracking, so in the case of iptables, the
language itself makes sure any iptables rule that was added is also removed
when that is necessary, in a manner not unlike exception handling in C++ etc.
Link to iptables module:
[https://code.google.com/p/badvpn/source/browse/trunk/ncd/mod...](https://code.google.com/p/badvpn/source/browse/trunk/ncd/modules/net_iptables.c)

~~~
mmastrac
This looks pretty cool. Does it run the script(s) in kernel space or user
space?

~~~
ambrop7
The interpreter is a userspace program. You can run if from a terminal if you
wish and use it as a general purpose scripting language (though it's not quite
that useful in that regard, yet).

Oh, and it also runs in the browser ;)
[http://badvpn.googlecode.com/svn/wiki/emncd.html](http://badvpn.googlecode.com/svn/wiki/emncd.html)

------
matt__rose
umm, iptables is a part of the kernel, and is exactly the same, regardless of
distribution. I've used a bunch of different distros and iptables is always
the same. What is this guy talking about??

~~~
jvehent
He's talking about wrappers. Wrappers are dist specific. Some people like to
use UFW and so on. It's their choice. But real men call iptables directly.

~~~
antocv
Agreed. The post title is wrong, it should read "Another iptables frontend,
this one aims for all distribution."

And yes, real men use iptables directly. I never understood the need for
wrappers, just makes it harder to debug and see whats really going on.

------
dsr_
Note that this requires a commitment to using cdist. cdist may be great, but
it's not much different from puppet or chef or bcfg2 or whatever your favorite
configuration management system is.

Since iptables comes from upstream (and is closely linked to the kernel),
distros running the same version of the kernel already have the same iptables
quirks. (There aren't many.) The article discusses distributing an iptables
config file and having it run on startup, a task which can be equally well
handled by the other config management systems.

------
covertgeek
Haven't tried it for myself -- but looking at the code, it appears that the
last rule needs to be changed to port 22 for SSH to work.

~~~
ck2
SSH should be immediately moved off port 22 in virtually any install.

The amount of toxic traffic hitting that port is scary.

~~~
pepve
It's indeed a large amount of traffic. But it's not scary. None of it will get
through if your SSH software is up to date, you have it configured properly,
and user accounts are managed sanely. The attacks to be scared of are those
that are actually targeted at you. And they will find the port SSH is running
on either way.

~~~
Shish2k
> None of it will get through if your SSH software is up to date, you have it
> configured properly, and user accounts are managed sanely.

So in the majority of cases, traffic will get through? :P

------
miah_
This is interesting, but I'd rather prefer something like Ript (a Ruby DSL for
Iptables) than a very specific implementation along with its assumptions.

[https://github.com/bulletproofnetworks/ript](https://github.com/bulletproofnetworks/ript)

So long as you can write Ruby, this works in Chef, Puppet, or whatever.

------
hkarthik
Sounds like one of the reasons I was instructed to use Firehol by my system
admin.
[http://en.wikipedia.org/wiki/FireHOL](http://en.wikipedia.org/wiki/FireHOL)

~~~
IbJacked
Nice to run into someone else using firehol! I've been using it for years but
it doesn't seem to get much love.

------
jvehent
<plug> If you use Chef, check out AFW.
[https://github.com/jvehent/AFW](https://github.com/jvehent/AFW) </plug>

