iptables-restore - does it breaks existing connections?

iptables-restore - does it breaks existing connections?

[gapsf]

For example, when (re)loading the same set of rules?

Re: iptables-restore - does it breaks existing connections?

[Erik Schorr]

On 05/24/2011 08:29 PM, gapsf@yandex.ru wrote:
> For example, when (re)loading the same set of rules?

When using iptables-restore or a similar method, the new table is loaded 
atomically.  As long as the new ruleset permits the traffic, there 
should be no dropped connections (or connection states).  The kernel 
keeps connection state information independently of firewall rules.

The best way to explicitly guarantee that all your connections stay up 
if you plan on loading a different ruleset, is to make sure there's a 
rule near the top of each of your INPUT/OUTPUT/FORWARD chains that 
accepts established/related connections:

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-- 
Erik Schorr KD6AUT
Advocate and Consultant
VMware/Iptables/Exim/Perl

Re: iptables-restore - does it breaks existing connections?

[Jan Engelhardt]

On Friday 2011-05-27 17:06, Erik Schorr wrote:

> On 05/24/2011 08:29 PM, gapsf@yandex.ru wrote:
>> For example, when (re)loading the same set of rules?
>
> When using iptables-restore or a similar method, the new table is loaded
> atomically.  As long as the new ruleset permits the traffic, there should be no
> dropped connections (or connection states).  The kernel keeps connection state
> information independently of firewall rules.
>
> The best way to explicitly guarantee that all your connections stay up if you
> plan on loading a different ruleset, is to make sure there's a rule near the
> top of each of your INPUT/OUTPUT/FORWARD chains that accepts
> established/related connections:
>
> iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>

Though these dates,-m conntrack --ctstate ESTABLISHED,RELATED is used.

Re: iptables-restore - does it breaks existing connections?

[Erik Schorr]

On 5/27/2011 8:58 AM, Jan Engelhardt wrote:
> Though these dates,-m conntrack --ctstate ESTABLISHED,RELATED is used.

Is there a practical, performance, or functional difference between 
using -m state and -m conntrack?

Re: iptables-restore - does it breaks existing connections?

[Jan Engelhardt]

On Saturday 2011-05-28 00:31, Erik Schorr wrote:

> On 5/27/2011 8:58 AM, Jan Engelhardt wrote:
>> Though these dates,-m conntrack --ctstate ESTABLISHED,RELATED is used.
>
> Is there a practical, performance, or functional difference between using -m
> state and -m conntrack?

It has many more checks available; perhaps the second most handy (to me, 
at least) one after the usual EST/REL clause is --ctstate DNAT.