Proper management of iptables?
Bashi, Enils
Enils.Bashi at FTIConsulting.com
Tue Mar 8 21:02:43 UTC 2011
If losing the rules is the issue, why not dump the rules to a file? :
Iptables-save > iptables.save
And if you need to restore them:
Iptables-restore < iptables.save
Service iptables save
Service iptables restart
-----Original Message-----
From: redhat-sysadmin-list-bounces at redhat.com [mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Dmitry Makovey
Sent: Tuesday, March 08, 2011 3:51 PM
To: redhat-sysadmin-list at redhat.com
Subject: Proper management of iptables?
Hi everybody,
For quite a while inside of our organization we've been editing /etc/sysconfig/iptables directly without much issues. However it was suggested to us that by doing so we risk losing all those rules whenever some package decides to use lokkit or "system-config-firewal*"
Several different sources suggested that modifying iptables on-the fly (via
CLI) and then saving rules via
$ service iptables save
is a proper technique.
Doing a bit of analysis I can't really find any trace of code that would prevent us from maintaining iptables just the way we were (as long as *we* don't use lokkit or system-config-firewall*) since "service iptables save" is a valid technique and uses iptables-save script which is part of iptables package and *not* part of system-config-firewall*
So we've got some evidence that may confirm our usage as valid, however it would be nice to know if indeed this is *not* a recommended way of maintaining iptables and we should reconsider how we approach it.
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
More information about the redhat-sysadmin-list
mailing list