On Thu, 2014-10-30 at 12:38 +0000, Marko Vojinovic wrote:
Incidentally, since I started using Linux I have always found iptables to have a very user-unfriendly syntax. Whenever I needed to tweak the firewall, I had to look up the man page for iptables, in order to make sure I don't screw myself over between -A and -I, -N and -n, -P and -p, etc. It was a royal pain having to pay attention to the order of the rules in the table. It was stupid having to look up explicit port numbers for common services. Various GUIs and TUIs of the time only added a whole new level of obscurity.
And no, I am not a novice user from Windowsland --- I've been Linux-only since RedHat 6.2 (Zoot), back in the previous millennium... ;-)
Hi Marko,
I started a few years earlier about the time of Centos 5.3
The order of rules in any IPtables table is pure common sense and very logical. Essentially, the first rule is the first action. The second rule is the second action etc.
Generally, in simple terms, a rule can block, accept or permanently go to another table (go) or perform another table (jump).
-A = append at the end of a table -I = insert into a table at a specified line number (default line 1) -N = create new table -Z = zeroise a table's count (and in later editions the count on an individual table entry) -F = delete all a table's entries -p = tcp/icmp/udp etc.
I created helpful routines and abbreviations:
ipt = iptables
.i iptables -nvL $1 --line-numbers echo '----> '$1;
sv = service, used in 'sv ipt save'
Linux is extremely customisable.
The firewall-cmd syntax appears to me to be dumbing-down and de-skilling. It hides the technical information behind the command, to the detriment of the technical user.
In IPtables
-A 4web -p tcp --dport 81 -j ACCEPT
In firewall-cmd
firewall-cmd --add-service=http
but that refers to port 80. Hence IPtables is a lot more flexible. The contrast is like playing a piano without gloves and then wearing boxing gloves - the precision has vanished.
An informed user derives more from his computer system than someone who uses the 'dumb-down' simplified pre-packaged alternative - especially when there is a problem.