LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   No clarity with iptables save configuration (https://www.linuxquestions.org/questions/linux-enterprise-47/no-clarity-with-iptables-save-configuration-4175510175/)

RHCE_ran 07-04-2014 11:26 PM
No clarity with iptables save configuration
 
I have a query with iptables configuration, the sample /etc/sysconfig/iptables file has the contents as below:

__________________________________________________________
# Generated by iptables-save v1.3.5 on Sat Dec 21 17:42:48 2013
*filter
:INPUT ACCEPT [395486230:305451389171]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [242867802:405321956718]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
COMMIT
__________________________________________________________

What if I want to add 2 more below rules to the configuration as -

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5668 –j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5669 –j ACCEPT

Can the above 2 rules be added by editing /etc/sysconfig/iptables using vim editor and the iptables service restarted as

service iptables restart

Would editing the /etc/sysconfig/iptables using vim editor add the rules to the iptables configuration?

I hope, my question is clear.

Please revert with the reply to my query.

Regards

unSpawn 07-05-2014 04:40 AM
Quote:
Originally Posted by RHCE_ran (Post 5198894)
the sample /etc/sysconfig/iptables file has the contents as below
Please note the sample you posted provides an incomplete view of the rule set.
It also may not be the actual rule set in use.
Best post 'iptables-save' output instead.


Quote:
Originally Posted by RHCE_ran (Post 5198894)
Can the above 2 rules be added by editing /etc/sysconfig/iptables using vim editor and
Yes.

*Note that unless you need separate rules for specific reasons you may combine these 4 rules into 1 rule using the "multiport" module "--dports".


Quote:
Originally Posted by RHCE_ran (Post 5198894)
the iptables service restarted as

service iptables restart
Yes.
*That is, if you saved the rule set in your editor ;-p


Quote:
Originally Posted by RHCE_ran (Post 5198894)
Would editing the /etc/sysconfig/iptables using vim editor add the rules to the iptables configuration?
Yes and no. Editing /etc/sysconfig/iptables only adds the rules on disk. They need to be reloaded in memory and that is why you use either 'service iptables restart' (which is invasive) or interface with the 'iptables' binary directly:

Code:
iptables-save > `mktemp -p /tmp iptables_old.XXXXXXXXXX`
iptables -t filter -n --line-numbers -L INPUT
iptables -t filter -A INPUT -m tcp -p tcp -m state --state NEW -m multiport --dports 5667,5666,5668,5669 –j ACCEPT
iptables -t filter -D INPUT 1
iptables -t filter -D INPUT 1
iptables-save > `mktemp -p /tmp iptables_new.XXXXXXXXXX`
*Note doing this without editing /etc/sysconfig/iptables means new / changed rules loaded in memory won't survive a service or machine reboot.
**Never execute given rule set changes (on production machines) without understanding the commands: see 'man iptables'. This may or may not be convenient ;-p


All times are GMT -5. The time now is 05:15 PM.