On 05/24/2011 08:29 PM, gapsf@xxxxxxxxx wrote:
For example, when (re)loading the same set of rules?
When using iptables-restore or a similar method, the new table is loaded atomically. As long as the new ruleset permits the traffic, there should be no dropped connections (or connection states). The kernel keeps connection state information independently of firewall rules.
The best way to explicitly guarantee that all your connections stay up if you plan on loading a different ruleset, is to make sure there's a rule near the top of each of your INPUT/OUTPUT/FORWARD chains that accepts established/related connections:
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -- Erik Schorr KD6AUT Advocate and Consultant VMware/Iptables/Exim/Perl -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
