The problem is, that a script with custom chains, ipset's and such is getting very complicated and error prone. The solution would be to append new rules at the end of current, then to remove the old ones, which can theoretically result in continuous ruleset in place.
One of the first things you should do when bringing a new Linux system online is to set up these standard rules. It requires no daemon restarts and it is available for all Linux systems. Aside from that, some high throughput traffic runs in into partially restored firewall, which ends up in very bad conntrack entries, which require manual intervention to restore functionality. Iptables is easy to use and requires almost no maintenance. Lots of stuff breaks if there is no rule for more then 50ms. If your saved firewall rules allow SSH access, another method is to reboot your server. I can't afford to just drop all rules and reinsert them, because this is simply too slow. I have a lot of sensitive traffic, like E1 lines encapsulated into IP packets and many others. This approach works well, to some extent. Use the following command to create an iptables rule for opening a port: sudo iptables -A INPUT -p protocol -dport port -j ACCEPT.
I have a script which simply flushes all rules and custom chains, then reloads everything from scratch. The iptables utility allows configuring rules to filter IP packets using the Linux kernel firewall. It is not possible to operate on the existing iptables configuration, by doing manual inserts/replaces or deletions.
I have very complicated and long iptables script.
0 kommentar(er)
