On 03/07/07, Nadav Har'El <[EMAIL PROTECTED]> wrote:
On Tue, Jul 03, 2007, Oded Arbel wrote about "Re: Keeping iptables rules
across reboots on Debian (lenny) ?":
> *) The SysV script offers the option of "save" to call iptables-store
> for you. The standard sysadmin use case would be to setup the needed
> rules, then run '/etc/init.d/iptables save' and then reboot the machine
> and the rules will be loaded automatically.
The practice I recommend is different: don't modify the running iptables
using the "iptables" command at all. If you do that, you risk making
mistakes
and having them saved forever, and also some things (involving rule
chains,
etc.) are really hard to do this way.
The approach I like better is to edit
/etc/sysconfig/iptables
(this is where Fedora keeps the iptables rules)
using your default editor, taking your time, and when you want to try the
new rules, run
service iptables restart
(the same as /etc/rc.d/init.d/iptables restart).
Are you serious? You recommend people to edit a file with a syntax like:
# Generated by iptables-save v1.2.7a on Wed May 30 17:25:39 2007
*filter
:INPUT ACCEPT [75395166:5137157842]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [65942397:7216862317]
:block - [0:0]
[1116355:68298646] -A INPUT -j block
..
COMMIT
over scripting a list of "iptables -A" commands which can be repeated and
made idempotent?
Not to mention that the numbers in the "[xxx:yyy]" are counters which are
lost if you don't save them over reboots.
For instance, when I worked on a set of iptables rules to measure Skype
traffic I kept adding/removing rules from a script and with a bit of chain
flushing and iptables-save/-restore I was able to keep track of the current
configuration test without loosing working configurations.
Cheers,
--Amos
