Re: Reload IPtables

From: David Hajes <david@hajes.org>
To: netfilter@vger.kernel.org
Subject: Re: Reload IPtables
Date: Sat, 26 Jun 2021 12:27:52 +0200	[thread overview]
Message-ID: <96559e16-e3a6-cefd-6183-1b47f31b9345@hajes.org> (raw)
In-Reply-To: <adc28927-724f-2cdb-ca6a-ff39be8de3ba@thelounge.net>

> sounds like a terrible mess with a ton of conditions which only works 
> with a simple ruleset

how many people do you know that use Linux with 10k lines in iptables?

slowest thing about loading iptables script was dealing with fail2ban 
that takes ages to load all banned IPs.

if guy asks how to reload properly ruleset - I doubt he has got any 
complex filtering on his machine ;-)

>
> it's not it's job to handle sysctl
>
> that belongs into a different file and running the iptables-script at 
> boot is a terrible idea because it's slow an non-atomic
>
> the only time when you should run a complex script is when you change 
> something and not at boot time where you simply restore the last state
>
> /usr/sbin/ipset -file /etc/sysconfig/ipset restore
> /usr/sbin/iptables-nft-restore /etc/sysconfig/iptables
> /usr/sbin/sysctl -q --load=/etc/sysctl*.conf
>
> that way first all rules are loaded atomic and *then* "ip_forward" and 
> friends are set to avoid a leak at boot

it may be good for you pro administrators with complex 
configurations...I have all in one file and do not need to bother about 
1ms lost during reload nor seeking 10 different config files for simple 
tasks and wasting hours by config. I like easy life.

My guess was that guy who asked doesn't have anything special and simple 
script resolves is terrible life trauma ;-)

Otherwise, he wouldn't ask such a question that is simple RTFM or UTFG ;-)

>
>> why would you reboot machine just because you need reload firewall?
>>
>> it seems to me that you need to learn basics of firewalling and Linux 
>> management.
>>
>> On 26/06/2021 01:47, slow_speed@att.net wrote:
>>> Yes, that was exactly my initial question.Â  I couldn't agree more.
>>>
>>> The issue was knowing the correct command to use force the reload. I 
>>> remain unclear on that if my files are in either 
>>> /etc/iptables.up.rules or /etc/iptables/rules.v4.
>>>
>>>
>>>
>>> On 6/25/21 7:43 PM, Reindl Harald wrote:
>>>>
>>>>
>>>> Am 25.06.21 um 23:30 schrieb slow_speed@att.net:
>>>>> I do not believe it is something one would use a script for. 
>>>>> Rather, there should be a way to reload the information into 
>>>>> memory without having to reboot.
>>>>
>>>> why would you ever reboot a linux system for something trivial than 
>>>> exchange, reset or realod iptables?
>>>>
>>>> * you have your ruleset
>>>> * you have saved it
>>>> * just load it
>>>>
>>>> "/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables" or 
>>>> "iptables-restore" or "iptables-legacy-restore"
>>>>
>>>> there is no difference doing that at boot or any moment in time
>>>>
>>>>> On 6/25/21 4:51 PM, David Hajes wrote:
>>>>>> on Debian I flushed all tables including custom tables and used 
>>>>>> to run iptables bash script before I moved to nftables. OpenBSD 
>>>>>> same strategy - flush and reload pf.conf
>>>>>>
>>>>>> if that is what you mean by reload.
>>>>>>
>>>>>> On 25/06/2021 21:24, slow_speed@att.net wrote:
>>>>>>> What is the preferred command to reload the current rules for 
>>>>>>> iptables? (Please include Debian environment, if distro-specific.)