Re: Reload IPtables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Am 26.06.21 um 09:19 schrieb David Hajes:
now you know why I use own scripts that are portable to any Linux/OpenBSD/BSD-like machine

sounds like a terrible mess with a ton of conditions which only works with a simple ruleset

I have never used iptable-save/restore in my life...it doesn't handle variables like "ip_forward" for example and there is more to setup.

it's not it's job to handle sysctl

that belongs into a different file and running the iptables-script at boot is a terrible idea because it's slow an non-atomic

the only time when you should run a complex script is when you change something and not at boot time where you simply restore the last state

/usr/sbin/ipset -file /etc/sysconfig/ipset restore
/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables
/usr/sbin/sysctl -q --load=/etc/sysctl*.conf

that way first all rules are loaded atomic and *then* "ip_forward" and friends are set to avoid a leak at boot

why would you reboot machine just because you need reload firewall?

it seems to me that you need to learn basics of firewalling and Linux management.

On 26/06/2021 01:47, slow_speed@xxxxxxx wrote:
Yes, that was exactly my initial question.  I couldn't agree more.

The issue was knowing the correct command to use force the reload. I remain unclear on that if my files are in either /etc/iptables.up.rules or /etc/iptables/rules.v4.



On 6/25/21 7:43 PM, Reindl Harald wrote:


Am 25.06.21 um 23:30 schrieb slow_speed@xxxxxxx:
I do not believe it is something one would use a script for. Rather, there should be a way to reload the information into memory without having to reboot.

why would you ever reboot a linux system for something trivial than exchange, reset or realod iptables?

* you have your ruleset
* you have saved it
* just load it

"/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables" or "iptables-restore" or "iptables-legacy-restore"

there is no difference doing that at boot or any moment in time

On 6/25/21 4:51 PM, David Hajes wrote:
on Debian I flushed all tables including custom tables and used to run iptables bash script before I moved to nftables. OpenBSD same strategy - flush and reload pf.conf

if that is what you mean by reload.

On 25/06/2021 21:24, slow_speed@xxxxxxx wrote:
What is the preferred command to reload the current rules for iptables? (Please include Debian environment, if distro-specific.)



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux