[CentOS] iptables port forwarding

Tue Jun 28 09:22:38 UTC 2011
Ljubomir Ljubojevic <office at plnet.rs>

Christopher Chan wrote:
> Er, you are not making much sense here. John posts that -v is needed to 
> not get the 'digested result' but the 'full result' and then you go off 
> on a branch about iptables-save. Oh, I still don't see what difference 
> there is between iptables -nv -L ${table} and iptables-save. 
> iptables-save sounds more like the 'nice presentation of used rules' 
> according to the man page.

Then please tell  some noob to just copy a rule from  iptables -nv -L 
${table}. And good luck with that.

[snip]
> Strawman argument. Who needs to see the actual rules in 
> /etc/sysconfig/iptables for 'creating the firewall' when you are just 
> going to overwrite it with a working set by running 'service iptables 
> save'? Or rather, both iptables -nv -L and iptables-save will provide 
> you the actual rules but just presented differently.

Exactly the point. One will show you *what* is being done, and other 
*how* it's being done. Not the same. Like it's not the same to use 
compiled program to explain where the error in source code is.

>>
>> I started wrestling with iptables rules in 2005 when I started working
>> as networking admin and had to solve some very hard problems including
>> policy routing, marking packets in right order, etc. Since then gained a
>> lot of experience in helping others (on several forum sites) understand
>> what they have and what they need to add/remove/change.
> 
> What's this? Get off your high horse. I have worked with ipchains, gone 
> through the differences between netfilter and ipchains, messed with 
> ipset due to the potential thousands of rules needed to be loaded but 
> ultimately had to give up due to the instability of ipset, done iproute2 
> for multiple routing tables, done traffic shaping, done pf on OpenBSD, 
> done ipfw on Solaris and John R Pierce probably has more experience than 
> I do. You have arrived late to the party.

Knowing to do something and finding the best path to extract info from 
noob person and explaining him what exactly to do are totally different 
things. But whatever, I do not have time and will to argue about 
irrelevant stuff with heap of work on my schedule.

Ljubomir