From: Kerin Millar <kfm@plushkava.net>
To: slow_speed@att.net
Cc: netfilter@vger.kernel.org
Subject: Re: Reload IPtables
Date: Sun, 27 Jun 2021 20:07:52 +0100 [thread overview]
Message-ID: <20210627200752.694217a849963715fd782049@plushkava.net> (raw)
In-Reply-To: <227edb33-b86d-2310-bc63-c6d903bea95d@att.net>
On Sun, 27 Jun 2021 14:32:39 -0400
slow_speed@att.net wrote:
> Thank you for that very good explanation.
>
> As it turns out, I am learning two ways at once. One is my desktop
> computer running Debian 10 which used nftables (and I believe
> nftables-persistent is built-in to the nftables mechanism). The other
> is a little Raspian server which is based on Debian 10, but does not use
> nftables.
>
> In the second case, one must reload iptables when changes are made to
> it. If I correctly understand, one must use sudo iptables -F, followed
> by sudo iptables-restore < /etc/iptables.up.rules (or wherever they
> are). Doesn't it need the little left arrow/less-than sign? Does that
> sound correct?
Concerning wherever they may be, they would be at "/etc/iptables.rules.v4" in the event that you are using iptables-persistent.
In any case, no, I would not consider this approach to be correct. Running `iptables -F` will empty the chains in the filter table. Not only would it fall short of 'resetting' the entire ruleset, you would be rendering the overall procedure non-atomic by unnecessarily splitting it into two distinct steps. Depending on your default chain policies, you could leave yourself temporarily wide open or, say, lock yourself out of a remote system. That's before even getting to the point of validating the ruleset that you intend to load. Just go straight to invoking iptables-restore (or netfilter-persistent). As long as the ruleset is valid, it will be applied in full, atomically. Otherwise, an error will be displayed and nothing will change. There is no in-between, which is as it should be. In short: my advice remains as conveyed by my previous post.
Use of shell redirection is optional in this case but I would caution against making it a habit in conjunction with the use of sudo. The shell will execute sudo which, in turn, will execute iptables-restore with root privileges. However, that very same shell - which, presumably, wasn't running as root to begin with - will process the redirection operator and attempt to open the given file. Provided that the file is readable by the shell's user, this poses no problem. However, should the file's permissions be restricted to the extent that only the root user can read the file, failure will ensue. By contrast, `sudo iptables-restore /etc/iptables.up.rules` is immune because the responsibility for opening the file is delegated to iptables-restore itself.
--
Kerin Millar
next prev parent reply other threads:[~2021-06-27 19:07 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <08f069e3-914f-204a-dfd6-a56271ec1e55.ref@att.net>
2021-06-25 19:24 ` Reload IPtables slow_speed
2021-06-25 20:51 ` David Hajes
2021-06-25 21:30 ` slow_speed
2021-06-25 22:20 ` Stephen Satchell
[not found] ` <cd80bdd2-7816-f27f-d3fe-5042d213700e@satchell.net>
2021-06-25 22:37 ` slow_speed
2021-06-25 23:43 ` Reindl Harald
2021-06-25 23:47 ` slow_speed
2021-06-25 23:52 ` Reindl Harald
2021-06-26 7:19 ` David Hajes
2021-06-26 10:13 ` Reindl Harald
2021-06-26 10:27 ` David Hajes
2021-06-26 10:43 ` Reindl Harald
2021-06-26 10:54 ` David Hajes
2021-06-28 7:32 ` Alessandro Vesely, Alessandro Vesely
2021-06-28 7:46 ` Reindl Harald
2021-06-28 9:23 ` Alessandro Vesely, Alessandro Vesely
2021-06-28 9:43 ` Kerin Millar
2021-06-29 2:02 ` Neal P. Murphy
2021-06-29 2:02 ` Neal P. Murphy
[not found] ` <20210629083652.GA10896@salvia>
2021-06-29 8:37 ` Pablo Neira Ayuso
2021-07-01 1:49 ` Neal P. Murphy
2021-07-01 1:49 ` Neal P. Murphy
2021-06-29 9:10 ` Kerin Millar
2021-06-29 14:52 ` slow_speed
2021-06-29 15:18 ` Reindl Harald
2021-06-29 16:50 ` slow_speed
2021-07-01 2:31 ` Neal P. Murphy
2021-06-28 10:17 ` Reindl Harald
2021-06-28 11:47 ` Alessandro Vesely, Alessandro Vesely
2021-06-28 12:03 ` Reindl Harald
2021-06-28 13:46 ` Kerin Millar
2021-06-28 16:35 ` Reindl Harald
2021-06-28 17:10 ` Kerin Millar
2021-06-28 17:16 ` Reindl Harald
2021-06-28 17:35 ` Alessandro Vesely, Alessandro Vesely
2021-06-28 18:15 ` Reindl Harald
2021-06-28 13:36 ` Stephen Satchell
2021-06-27 14:56 ` slow_speed
2021-06-27 15:46 ` G.W. Haywood
2021-06-27 18:29 ` Stephen Satchell
2021-06-27 18:11 ` Kerin Millar
2021-06-27 18:32 ` slow_speed
2021-06-27 18:57 ` Reindl Harald
2021-06-27 20:57 ` slow_speed
2021-06-27 21:33 ` Reindl Harald
2021-06-27 19:07 ` Kerin Millar [this message]
2021-06-27 19:10 ` Kerin Millar
2021-06-27 19:56 ` Stephen Satchell
2021-06-27 20:12 ` Kerin Millar
2021-06-27 20:20 ` Reindl Harald
2021-06-27 19:43 ` Stephen Satchell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210627200752.694217a849963715fd782049@plushkava.net \
--to=kfm@plushkava.net \
--cc=netfilter@vger.kernel.org \
--cc=slow_speed@att.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.