Re: Reload IPtables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 26.06.21 um 01:47 schrieb slow_speed@xxxxxxx:

Yes, that was exactly my initial question.  I couldn't agree more.
The issue was knowing the correct command to use force the reload. I remain unclear on that if my files are in either /etc/iptables.up.rules or /etc/iptables/rules.v4. 

god or your distribution knows

* mine are generate dby a script
* that script writes to /etc/sysconfig/iptables
* my homegrown "network-up.service" loads them at boot
no need for any shiny network-config files and what not. just pure "iptables" and "ip" commands in a "oneshot" systemd unit with a dozen of ExecStart (the same as a shell script but with better debugging) 

burn everything from the distribution with fire


[root@srv-rhsoft:~]$ cat /etc/systemd/system/network-up.service
##############################################################
#  Device-Naming: /etc/udev/rules.d/70-persistent-net.rules  #
##############################################################

[Unit]
DefaultDependencies=no
RefuseManualStop=yes
Description=Network
PartOf=basic.target
PartOf=network-online.target
Before=crond.service timers.target vnstat.service

After=sys-subsystem-net-devices-wan.device
Wants=sys-subsystem-net-devices-wan.device

After=sys-subsystem-net-devices-lan\x2dguest.device
Wants=sys-subsystem-net-devices-lan\x2dguest.device
After=sys-subsystem-net-devices-lan\x2dspare1.device
Wants=sys-subsystem-net-devices-lan\x2dspare1.device
After=sys-subsystem-net-devices-lan\x2dspare2.device
Wants=sys-subsystem-net-devices-lan\x2dspare2.device
After=sys-subsystem-net-devices-lan\x2dtv.device
Wants=sys-subsystem-net-devices-lan\x2dtv.device
After=sys-subsystem-net-devices-poe\x2dphone.device
Wants=sys-subsystem-net-devices-poe\x2dphone.device
After=sys-subsystem-net-devices-poe\x2dspare.device
Wants=sys-subsystem-net-devices-poe\x2dspare.device

[Service]
Type=oneshot
RemainAfterExit=yes
SuccessExitStatus=80
TimeoutStartSec=60

ExecStart=/usr/sbin/ipset -file /etc/sysconfig/ipset restore
ExecStart=/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables

ExecStart=-/usr/sbin/ip link add name br-wan type bridge
ExecStart=-/usr/sbin/ip link set dev wan master br-wan multicast off allmulticast off up ExecStart=-/usr/sbin/ip link set dev vmnet1 master br-wan multicast off allmulticast off up 
ExecStart=-/usr/sbin/ip addr flush vmnet1

ExecStart=-/usr/bin/systemctl start vpn.service

ExecStart=-/usr/sbin/ip link add name br-lan type bridge
ExecStart=-/usr/sbin/ip link set dev br-lan up
ExecStart=-/usr/sbin/ip a add 192.168.2.2/255.255.255.0 broadcast 192.168.2.255 dev br-lan 
ExecStart=-/usr/sbin/ip link set dev lan-spare1 master br-lan up
ExecStart=-/usr/sbin/ip link set dev lan-spare2 master br-lan up
ExecStart=-/usr/sbin/ip link set dev lan-tv master br-lan up
ExecStart=-/usr/sbin/ip link set dev poe-spare master br-lan up
ExecStart=-/usr/sbin/ip link set dev poe-phone master br-lan multicast off allmulticast off up 

ExecStart=-/usr/sbin/ip link add name br-guest type bridge
ExecStart=-/usr/sbin/ip link set dev br-guest multicast off allmulticast off up ExecStart=-/usr/sbin/ip a add 192.168.10.1/255.255.255.0 broadcast 192.168.10.255 dev br-guest ExecStart=-/usr/sbin/ip link set dev lan-guest master br-guest multicast off allmulticast off up 

ExecStart=-/usr/sbin/ip route add 172.17.0.0/24 via 192.168.196.5 dev vmnet8

ExecStart=-/usr/bin/systemctl start network-wan-dhcp.service

ExecStart=-/usr/sbin/sysctl -q --load=/etc/sysctl*.conf

ExecStart=-/usr/sbin/tc qdisc add dev wan root handle 1 hfsc default 1
ExecStart=-/usr/sbin/tc class add dev wan parent 1: classid 1:1 hfsc sc rate 54Mbit ul rate 54Mbit 
ExecStart=-/usr/sbin/tc qdisc add dev wan parent 1:1 handle 11: fq_codel

[Install]
WantedBy=basic.target
[root@srv-rhsoft:~]$


On 6/25/21 7:43 PM, Reindl Harald wrote:



Am 25.06.21 um 23:30 schrieb slow_speed@xxxxxxx:
I do not believe it is something one would use a script for. Rather, there should be a way to reload the information into memory without having to reboot.
why would you ever reboot a linux system for something trivial than exchange, reset or realod iptables? 

* you have your ruleset
* you have saved it
* just load it
"/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables" or "iptables-restore" or "iptables-legacy-restore" 

there is no difference doing that at boot or any moment in time


On 6/25/21 4:51 PM, David Hajes wrote:
on Debian I flushed all tables including custom tables and used to run iptables bash script before I moved to nftables. OpenBSD same strategy - flush and reload pf.conf 

if that is what you mean by reload.

On 25/06/2021 21:24, slow_speed@xxxxxxx wrote:
What is the preferred command to reload the current rules for iptables? (Please include Debian environment, if distro-specific.)
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux