Christopher Chan wrote:
On Tuesday, June 28, 2011 02:38 AM, Ljubomir Ljubojevic wrote:
John R Pierce wrote:
On 06/27/11 10:43 AM, Ljubomir Ljubojevic wrote:
note that doesn't show all the pertinent info. I prefer `iptable -L -vn`, and it still doesn't show the nat tables, you also need `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t mangle` if you're using any mangle entries.
iptables-save is designed for iptables output.
sure, for saving to the startup scripts.... the commands I listed above were to display the tables with full info... Without the -v flag, -L only shows part of the important stuff.
iptables-save man:
DESCRIPTION: iptables-save is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.
You seem to have a problem understanding what John is saying. When you add the v flag, iptables will also report in/out interfaces so that you don't have to guess when you are trying to fix up the rules on the spot and not by editing some file.
My point should have been that listing digested result with "iptables -L..." is not what we needed from OP. In order to help him solve his problem, he needed to output his *rules*. not a "nice presentation of used rules".
With iptables-save he/we could see actual rules used for creating Fedora and CentOS firewall, so he/we can use that output to suggest exact rules he needs.
I started wrestling with iptables rules in 2005 when I started working as networking admin and had to solve some very hard problems including policy routing, marking packets in right order, etc. Since then gained a lot of experience in helping others (on several forum sites) understand what they have and what they need to add/remove/change.
With iptables-save you get reusable output and all you need to do is to say "used this, this, and that rule, change that one and remove that one, and it should work", so there is no chance of making an error in converting (retyping) iptables -L to actual rules already provided with iptables-save.
Ljubomir