I'm studying iptables at the moment, Hope I can help others in the feture :)
At 2011-06-28£¬"Ljubomir Ljubojevic" <office@plnet.rs> wrote:
>Christopher Chan wrote:
>> Er, you are not making much sense here. John posts that -v is needed to
>> not get the 'digested result' but the 'full result' and then you go off
>> on a branch about iptables-save. Oh, I still don't see what difference
>> there is between iptables -nv -L ${table} and iptables-save.
>> iptables-save sounds more like the 'nice presentation of used rules'
>> according to the man page.
>
>Then please tell some noob to just copy a rule from iptables -nv -L
>${table}. And good luck with that.
>
>[snip]
>> Strawman argument. Who needs to see the actual rules in
>> /etc/sysconfig/iptables for 'creating the firewall' when you are just
>> going to overwrite it with a working set by running 'service iptables
>> save'? Or rather, both iptables -nv -L and iptables-save will provide
>> you the actual rules but just presented differently.
>
>Exactly the point. One will show you *what* is being done, and other
>*how* it's being done. Not the same. Like it's not the same to use
>compiled program to explain where the error in source code is.
>
>>>
>>> I started wrestling with iptables rules in 2005 when I started working
>>> as networking admin and had to solve some very hard problems including
>>> policy routing, marking packets in right order, etc. Since then gained a
>>> lot of experience in helping others (on several forum sites) understand
>>> what they have and what they need to add/remove/change.
>>
>> What's this? Get off your high horse. I have worked with ipchains, gone
>> through the differences between netfilter and ipchains, messed with
>> ipset due to the potential thousands of rules needed to be loaded but
>> ultimately had to give up due to the instability of ipset, done iproute2
>> for multiple routing tables, done traffic shaping, done pf on OpenBSD,
>> done ipfw on Solaris and John R Pierce probably has more experience than
>> I do. You have arrived late to the party.
>
>Knowing to do something and finding the best path to extract info from
>noob person and explaining him what exactly to do are totally different
>things. But whatever, I do not have time and will to argue about
>irrelevant stuff with heap of work on my schedule.
>
>Ljubomir
>