Proper management of iptables?

[Bashi, Enils]

If losing the rules is the issue, why not dump the rules to a file? :

Iptables-save > iptables.save

And if you need to restore them:

Iptables-restore < iptables.save
Service iptables save
Service iptables restart



-----Original Message-----
From: redhat-sysadmin-list-bounces at redhat.com [mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Dmitry Makovey
Sent: Tuesday, March 08, 2011 3:51 PM
To: redhat-sysadmin-list at redhat.com
Subject: Proper management of iptables?

Hi everybody,

For quite a while inside of our organization we've been editing /etc/sysconfig/iptables directly without much issues. However it was suggested to us that by doing so we risk losing all those rules whenever some package decides to use lokkit or "system-config-firewal*"

Several different sources suggested that modifying iptables on-the fly (via
CLI) and then saving rules via

$ service iptables save

is a proper technique.

Doing a bit of analysis I can't really find any trace of code that would prevent us from maintaining iptables just the way we were (as long as *we* don't use lokkit or system-config-firewall*) since "service iptables save" is a valid technique and uses iptables-save script which is part of iptables package and *not* part of system-config-firewall*

So we've got some evidence that may confirm our usage as valid, however it would be nice to know if indeed this is *not* a recommended way of maintaining iptables and we should reconsider how we approach it. 

--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245