Am 26.06.21 um 12:27 schrieb David Hajes:
sounds like a terrible mess with a ton of conditions which only works
with a simple ruleset
how many people do you know that use Linux with 10k lines in iptables?
but why make it complex with abstraction layers when the ruleset is that
simple
slowest thing about loading iptables script was dealing with fail2ban
that takes ages to load all banned IPs.
that's why ipset exists which don't care much if there is 1 or 1 million
entries
if guy asks how to reload properly ruleset - I doubt he has got any
complex filtering on his machine ;-)
that may be true
it's not it's job to handle sysctl
that belongs into a different file and running the iptables-script at
boot is a terrible idea because it's slow an non-atomic
the only time when you should run a complex script is when you change
something and not at boot time where you simply restore the last state
/usr/sbin/ipset -file /etc/sysconfig/ipset restore
/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables
/usr/sbin/sysctl -q --load=/etc/sysctl*.conf
that way first all rules are loaded atomic and *then* "ip_forward" and
friends are set to avoid a leak at boot
it may be good for you pro administrators with complex
configurations...I have all in one file and do not need to bother about
1ms lost during reload nor seeking 10 different config files for simple
tasks and wasting hours by config. I like easy life.
mixing things together which don't belong together like iptables and
sysctl is the opposite of simple as well as running a ton of commands at
boot where it should be a oneliner is also the opposite
to be honest that sounds more like "i didn't know about save/restore as
i wrote that stuff"
My guess was that guy who asked doesn't have anything special and simple
script resolves is terrible life trauma ;-)
Otherwise, he wouldn't ask such a question that is simple RTFM or UTFG ;-)
that may be true
why would you reboot machine just because you need reload firewall?
it seems to me that you need to learn basics of firewalling and Linux
management.
On 26/06/2021 01:47, slow_speed@xxxxxxx wrote:
Yes, that was exactly my initial question. I couldn't agree more.
The issue was knowing the correct command to use force the reload. I
remain unclear on that if my files are in either
/etc/iptables.up.rules or /etc/iptables/rules.v4.
On 6/25/21 7:43 PM, Reindl Harald wrote:
Am 25.06.21 um 23:30 schrieb slow_speed@xxxxxxx:
I do not believe it is something one would use a script for.
Rather, there should be a way to reload the information into
memory without having to reboot.
why would you ever reboot a linux system for something trivial than
exchange, reset or realod iptables?
* you have your ruleset
* you have saved it
* just load it
"/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables" or
"iptables-restore" or "iptables-legacy-restore"
there is no difference doing that at boot or any moment in time
On 6/25/21 4:51 PM, David Hajes wrote:
on Debian I flushed all tables including custom tables and used
to run iptables bash script before I moved to nftables. OpenBSD
same strategy - flush and reload pf.conf
if that is what you mean by reload.
On 25/06/2021 21:24, slow_speed@xxxxxxx wrote:
What is the preferred command to reload the current rules for
iptables? (Please include Debian environment, if distro-specific.)