On Sun, 27 Jun 2021 14:32:39 -0400 slow_speed@xxxxxxx wrote: > Thank you for that very good explanation. > > As it turns out, I am learning two ways at once. One is my desktop > computer running Debian 10 which used nftables (and I believe > nftables-persistent is built-in to the nftables mechanism). The other > is a little Raspian server which is based on Debian 10, but does not use > nftables. > > In the second case, one must reload iptables when changes are made to > it. If I correctly understand, one must use sudo iptables -F, followed > by sudo iptables-restore < /etc/iptables.up.rules (or wherever they > are). Doesn't it need the little left arrow/less-than sign? Does that > sound correct? Concerning wherever they may be, they would be at "/etc/iptables.rules.v4" in the event that you are using iptables-persistent. In any case, no, I would not consider this approach to be correct. Running `iptables -F` will empty the chains in the filter table. Not only would it fall short of 'resetting' the entire ruleset, you would be rendering the overall procedure non-atomic by unnecessarily splitting it into two distinct steps. Depending on your default chain policies, you could leave yourself temporarily wide open or, say, lock yourself out of a remote system. That's before even getting to the point of validating the ruleset that you intend to load. Just go straight to invoking iptables-restore (or netfilter-persistent). As long as the ruleset is valid, it will be applied in full, atomically. Otherwise, an error will be displayed and nothing will change. There is no in-between, which is as it should be. In short: my advice remains as conveyed by my previous post. Use of shell redirection is optional in this case but I would caution against making it a habit in conjunction with the use of sudo. The shell will execute sudo which, in turn, will execute iptables-restore with root privileges. However, that very same shell - which, presumably, wasn't running as root to begin with - will process the redirection operator and attempt to open the given file. Provided that the file is readable by the shell's user, this poses no problem. However, should the file's permissions be restricted to the extent that only the root user can read the file, failure will ensue. By contrast, `sudo iptables-restore /etc/iptables.up.rules` is immune because the responsibility for opening the file is delegated to iptables-restore itself. -- Kerin Millar
