0

I have these example rules from iptables and I want to economize them

lan=enp2s0
iptables -A INPUT -i $lan -p tcp --dport 1234 -j NFLOG --nflog-prefix 'foo'
iptables -A INPUT -i $lan -p tcp --dport 1234 -j ACCEPT
iptables -A FORWARD -i $lan -p tcp --dport 1234 -j NFLOG --nflog-prefix 'foo'
iptables -A FORWARD -i $lan -p tcp --dport 1234 -j ACCEPT
iptables -t mangle -A PREROUTING -i $lan -p tcp --dport 1234 -j NFLOG --nflog-prefix 'foo'
iptables -t mangle -A PREROUTING -i $lan -p tcp --dport 1234 -j ACCEPT

I tried with a custom rule but it doesn't work for me. It says that the chain MYCHAIN already exists

iptables -N MYCHAIN
iptables -A INPUT -i $lan -p tcp --dport 1234 -j MYCHAIN
iptables -A FORWARD -i $lan -p tcp --dport 1234 -j MYCHAIN
iptables -t mangle -A PREROUTING -i $lan -p tcp --dport 1234 -j MYCHAIN
iptables -A MYCHAIN -j NFLOG --nflog-prefix 'foo'
iptables -A MYCHAIN -j ACCEPT

How to abbreviate iptables rules? (to economize lines)

acgbox
  • 376
  • 1
  • 5
  • 21
  • Why you allow packets from your LAN to proxy services in your host (INPUT rule definition), and at same time you try to allow access to 3128 port in any other destination address from LAN (forward rule definition)!? – Francisco Apr 05 '23 at 00:58
  • One other thing, is ip_forwarding enabled on your OS? – Francisco Apr 05 '23 at 01:53
  • a chain's namespace is its table. so MYCHAIN has to be defined twice. nftables (where the table concept differs a bit) allows to put all chains in the same table thus reusing the same chain (and has also other methods to simplify rules, like being able to merge the two iptables rules in a single rule without additional chain, among other ways). Also you state "MYCHAIN already exists" while the expected error is "Chain 'MYCHAIN' does not exist" for the 4th line. – A.B Apr 05 '23 at 06:19
  • @Francisco Thanks for participating. The object of the question is not what the rules do. They are sample rules. It may be other rules. The object of the question is how to economize rules – acgbox Apr 05 '23 at 13:00
  • @A.B you could post your full answer with the proposed correction. Thank you – acgbox Apr 05 '23 at 13:03
  • So you're fine with nftables instead of iptables? Ok I'll do an answer with this (in a few hours when I get time for this). – A.B Apr 05 '23 at 13:23
  • @A.B The question is about iptables. I would prefer an answer with iptables. I'm not familiar with nftables. Thanks anyway – acgbox Apr 05 '23 at 14:07
  • Ok. I don't have any answer then. – A.B Apr 05 '23 at 15:50
  • Trying to optimize iptables is pointless, on most modern distros it gets converted to nftables anyway. Just switch to nftables. @A.B, in the spirit of the site, I'd suggest posting an nftables answer anyway since it would be the better answer given the constraints of the question which has no justification for using deprecated solutions. – Ginnungagap Apr 06 '23 at 21:28

0 Answers0