Finally iptables works the same on every Linux distro

For complex setups you sooner or later have to dynamically add&#x2F;remove rules, based on values only known at runtime (such as an IP address obtained by DHCP). Then, a simple list of rules doesn&#x27;t suffice, and some kind of programming is needed.<p>To solve such problems elegantly I designed my &quot;NCD programming language&quot; (link: <a href="https://code.google.com/p/badvpn/wiki/NCD" rel="nofollow">https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;badvpn&#x2F;wiki&#x2F;NCD</a> ). The language has built-in backtracking, so in the case of iptables, the language itself makes sure any iptables rule that was added is also removed when that is necessary, in a manner not unlike exception handling in C++ etc. Link to iptables module: <a href="https://code.google.com/p/badvpn/source/browse/trunk/ncd/modules/net_iptables.c" rel="nofollow">https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;badvpn&#x2F;source&#x2F;browse&#x2F;trunk&#x2F;ncd&#x2F;mod...</a>

umm, iptables is a part of the kernel, and is exactly the same, regardless of distribution. I&#x27;ve used a bunch of different distros and iptables is always the same. What is this guy talking about??

Note that this requires a commitment to using cdist. cdist may be great, but it&#x27;s not much different from puppet or chef or bcfg2 or whatever your favorite configuration management system is.<p>Since iptables comes from upstream (and is closely linked to the kernel), distros running the same version of the kernel already have the same iptables quirks. (There aren&#x27;t many.) The article discusses distributing an iptables config file and having it run on startup, a task which can be equally well handled by the other config management systems.

Haven&#x27;t tried it for myself -- but looking at the code, it appears that the last rule needs to be changed to port 22 for SSH to work.

This is interesting, but I&#x27;d rather prefer something like Ript (a Ruby DSL for Iptables) than a very specific implementation along with its assumptions.<p><a href="https://github.com/bulletproofnetworks/ript" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;bulletproofnetworks&#x2F;ript</a><p>So long as you can write Ruby, this works in Chef, Puppet, or whatever.

Sounds like one of the reasons I was instructed to use Firehol by my system admin. <a href="http://en.wikipedia.org/wiki/FireHOL" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;FireHOL</a>

&lt;plug&gt; If you use Chef, check out AFW. <a href="https://github.com/jvehent/AFW" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jvehent&#x2F;AFW</a> &lt;&#x2F;plug&gt;