Join Log in
Score:0
acgbox avatar Server

How to abbreviate iptables rules?

ng flag
acgbox

I have these example rules from iptables and I want to economize them

lan=enp2s0
iptables -A INPUT -i $lan -p tcp --dport 1234 -j NFLOG --nflog-prefix 'foo'
iptables -A INPUT -i $lan -p tcp --dport 1234 -j ACCEPT
iptables -A FORWARD -i $lan -p tcp --dport 1234 -j NFLOG --nflog-prefix 'foo'
iptables -A FORWARD -i $lan -p tcp --dport 1234 -j ACCEPT
iptables -t mangle -A PREROUTING -i $lan -p tcp --dport 1234 -j NFLOG --nflog-prefix 'foo'
iptables -t mangle -A PREROUTING -i $lan -p tcp --dport 1234 -j ACCEPT

I tried with a custom rule but it doesn't work for me. It says that the chain MYCHAIN already exists

iptables -N MYCHAIN
iptables -A INPUT -i $lan -p tcp --dport 1234 -j MYCHAIN
iptables -A FORWARD -i $lan -p tcp --dport 1234 -j MYCHAIN
iptables -t mangle -A PREROUTING -i $lan -p tcp --dport 1234 -j MYCHAIN
iptables -A MYCHAIN -j NFLOG --nflog-prefix 'foo'
iptables -A MYCHAIN -j ACCEPT

How to abbreviate iptables rules? (to economize lines)

74
0 + 9
Francisco avatar
ca flag
Francisco
Why you allow packets from your LAN to proxy services in your host (INPUT rule definition), and at same time you try to allow access to 3128 port in any other destination address from LAN (forward rule definition)!?
0
Reply
Francisco avatar
ca flag
Francisco
One other thing, is ip_forwarding enabled on your OS?
0
Reply
A.B avatar
cl flag
A.B
a chain's namespace is its table. so MYCHAIN has to be defined twice. nftables (where the table concept differs a bit) allows to put all chains in the same table thus reusing the same chain (and has also other methods to simplify rules, like being able to merge the two iptables rules in a single rule without additional chain, among other ways). Also you state "MYCHAIN already exists" while the expected error is "Chain 'MYCHAIN' does not exist" for the 4th line.
0
Reply
acgbox avatar
ng flag
acgbox
@Francisco Thanks for participating. The object of the question is not what the rules do. They are sample rules. It may be other rules. The object of the question is how to economize rules
0
Reply
acgbox avatar
ng flag
acgbox
@A.B you could post your full answer with the proposed correction. Thank you
0
Reply
A.B avatar
cl flag
A.B
So you're fine with nftables instead of iptables? Ok I'll do an answer with this (in a few hours when I get time for this).
0
Reply
acgbox avatar
ng flag
acgbox
@A.B The question is about iptables. I would prefer an answer with iptables. I'm not familiar with nftables. Thanks anyway
0
Reply
A.B avatar
cl flag
A.B
Ok. I don't have any answer then.
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
Trying to optimize iptables is pointless, on most modern distros it gets converted to nftables anyway. Just switch to nftables. @A.B, in the spirit of the site, I'd suggest posting an nftables answer anyway since it would be the better answer given the constraints of the question which has no justification for using deprecated solutions.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.