On Tuesday, June 28, 2011 04:05 PM, Ljubomir Ljubojevic wrote: > Christopher Chan wrote: >> On Tuesday, June 28, 2011 02:38 AM, Ljubomir Ljubojevic wrote: >>> John R Pierce wrote: >>>> On 06/27/11 10:43 AM, Ljubomir Ljubojevic wrote: >>>>>> note that doesn't show all the pertinent info. I prefer `iptable -L >>>>>> -vn`, and it still doesn't show the nat tables, you also need >>>>>> `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t >>>>>> mangle` if you're using any mangle entries. >>>>> >>>>> iptables-save is designed for iptables output. >>>> >>>> sure, for saving to the startup scripts.... the commands I listed >>>> above were to display the tables with full info... Without the -v >>>> flag, -L only shows part of the important stuff. >>>> >>> iptables-save man: >>> >>> DESCRIPTION: >>> iptables-save is used to dump the contents of an IP Table in easily >>> parseable format to STDOUT. Use I/O-redirection provided by your shell >>> to write to a file. >>> >> >> You seem to have a problem understanding what John is saying. When you >> add the v flag, iptables will also report in/out interfaces so that >> you don't have to guess when you are trying to fix up the rules on the >> spot and not by editing some file. >> > > My point should have been that listing digested result with "iptables > -L..." is not what we needed from OP. In order to help him solve his > problem, he needed to output his *rules*. not a "nice presentation of > used rules". Er, you are not making much sense here. John posts that -v is needed to not get the 'digested result' but the 'full result' and then you go off on a branch about iptables-save. Oh, I still don't see what difference there is between iptables -nv -L ${table} and iptables-save. iptables-save sounds more like the 'nice presentation of used rules' according to the man page. > > With iptables-save he/we could see actual rules used for creating Fedora > and CentOS firewall, so he/we can use that output to suggest exact rules > he needs. Strawman argument. Who needs to see the actual rules in /etc/sysconfig/iptables for 'creating the firewall' when you are just going to overwrite it with a working set by running 'service iptables save'? Or rather, both iptables -nv -L and iptables-save will provide you the actual rules but just presented differently. > > I started wrestling with iptables rules in 2005 when I started working > as networking admin and had to solve some very hard problems including > policy routing, marking packets in right order, etc. Since then gained a > lot of experience in helping others (on several forum sites) understand > what they have and what they need to add/remove/change. What's this? Get off your high horse. I have worked with ipchains, gone through the differences between netfilter and ipchains, messed with ipset due to the potential thousands of rules needed to be loaded but ultimately had to give up due to the instability of ipset, done iproute2 for multiple routing tables, done traffic shaping, done pf on OpenBSD, done ipfw on Solaris and John R Pierce probably has more experience than I do. You have arrived late to the party. > > With iptables-save you get reusable output and all you need to do is to > say "used this, this, and that rule, change that one and remove that > one, and it should work", so there is no chance of making an error in > converting (retyping) iptables -L to actual rules already provided with > iptables-save. Hahaha, the OP still managed to mistype instructions he was given, I somehow doubt that fixing up iptables-save output for him will make any difference.