Thank you for that very good explanation.
As it turns out, I am learning two ways at once. One is my desktop
computer running Debian 10 which used nftables (and I believe
nftables-persistent is built-in to the nftables mechanism). The other
is a little Raspian server which is based on Debian 10, but does not use
nftables.
In the second case, one must reload iptables when changes are made to
it. If I correctly understand, one must use sudo iptables -F, followed
by sudo iptables-restore < /etc/iptables.up.rules (or wherever they
are). Doesn't it need the little left arrow/less-than sign? Does that
sound correct?
On 6/27/21 2:11 PM, Kerin Millar wrote:
On Fri, 25 Jun 2021 19:47:02 -0400
slow_speed@xxxxxxx wrote:
Yes, that was exactly my initial question. I couldn't agree more.
The issue was knowing the correct command to use force the reload. I
remain unclear on that if my files are in either /etc/iptables.up.rules
or /etc/iptables/rules.v4.
Debian offers an iptables-persistent package which, if installed, will provide a plugin for their netfilter-persistent package. In turn, that implements a pseudo-service that is capable of automatically loading iptables rules from "/etc/iptables/rules.v4" upon being started, and saving them there upon being stopped. It does so by executing iptables-restore(8) and iptables-save(8) behind the scenes and the decision to use this particular location is an arbitrary one made by the Debian maintainers. As for "/etc/iptables.up.rules", it has no significance beyond serving as one example of how to manually deal with ruleset persistence, as far as the author of the https://wiki.debian.org/iptables article is concerned.
So, if you needed to manually (re)load an iptables ruleset that had previously been saved through the use of the iptables-persistent plugin, you might run `iptables-restore /etc/iptables/rules.v4` but it would probably be wiser to run `netfilter-persistent start` instead. For further information, refer to the netfilter-persistent(8) man page. On the other hand, should you choose not to use iptables-persistent, the decision of where exactly to save rulesets is yours to make. If in doubt, observe the conventions chosen by your distribution.
