bftables and scripts question

bftables and scripts question

[ToddAndMargo]

Hi All,

I am currently using iptables but and starting the process
of learning nftables.

Question.  My iptables are in a bash programs (scripts).

For instance:

if [ "$enable_rdp" = "yes" ]; then
    # Warning: this user is given access to SYN's
    # rdp is M$ Terminal Services
    <lots of iptables>
    logger -p user.notice -t firewall "Firewall external rules warning: 
$ts_server (Terminal Server) accepts SYN's on Port $rdp_port"
fi

Will nftables work the same way?

And, will the converters also roll over the bash code?

Many thanks,
-T



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Re: bftables and scripts question

[Reindl Harald]

Am 24.12.22 um 03:30 schrieb ToddAndMargo:
> I am currently using iptables but and starting the process
> of learning nftables.
> 
> Question.  My iptables are in a bash programs (scripts).
> 
> For instance:
> 
> if [ "$enable_rdp" = "yes" ]; then
>     # Warning: this user is given access to SYN's
>     # rdp is M$ Terminal Services
>     <lots of iptables>
>     logger -p user.notice -t firewall "Firewall external rules warning: 
> $ts_server (Terminal Server) accepts SYN's on Port $rdp_port"
> fi
> 
> Will nftables work the same way?

not a single line above is iptables specific at all

> And, will the converters also roll over the bash code?

no - "iptables-restore-translate" or whatever can by definition have no 
clue about whatever bash script - it faces the iptables ruleset no 
matter how it was created

either use iptables-nft or start from scratch with your bash script and 
expect a lot of new learning

--------------------------------------

the kernel only knows about the active ruleset as your "iptables-save" 
file don't contain anything else

iptables-nft -t filter --list --numeric --line-numbers --verbose

iptables-nft -t mangle --list --numeric --line-numbers --verbose

iptables-nft -t raw --list --numeric --line-numbers --verbose

Re: bftables and scripts question

[ToddAndMargo]

On 12/23/22 19:40, Reindl Harald wrote:
> not a single line above is iptables specific at all

 >>  <lots of iptables>

I removed them as they were not part of the question.
There were about eight of them.

Re: bftables and scripts question

[Reindl Harald]

Am 24.12.22 um 05:35 schrieb ToddAndMargo:
> On 12/23/22 19:40, Reindl Harald wrote:
>> not a single line above is iptables specific at all
> 
>  >>  <lots of iptables>
> 
> I removed them as they were not part of the question.
> There were about eight of them

and everything you left has nothing to do with iptables or nftables - 
come on: how you you imagine a converter would rewrite your odd bash 
scripts?

you wrote your bash script for iptables
you write yours for nftables

and with some luck it ends with way less redundant rules as your current 
ruleset which is simply unmaintainable and unauditable