[SOLVED] A question about how to edit iptables rules
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
Suppose you have written a lot of iptables rules and now you want to edit some lines or a specific value. If you save the rules in a file using the iptables-save command and then edit it and restore it again using the iptables-restore command. Is this method correct?
However, if you are getting started, I'd highly encourage looking at NFTables instead because it is much easier to work with. In this case, you'd just edit the NFTables configuration file and then reload it. Also, IPTables is already a thing of the past and getting further out of date as time passes. It's going to go away and you'll move to NFTables at that point anyway. So the time and learning invested in IPTables is kind of a lost cause at this point.
However, if you are getting started, I'd highly encourage looking at NFTables instead because it is much easier to work with. In this case, you'd just edit the NFTables configuration file and then reload it. Also, IPTables is already a thing of the past and getting further out of date as time passes. It's going to go away and you'll move to NFTables at that point anyway. So the time and learning invested in IPTables is kind of a lost cause at this point.
Hello,
Thank you so much for your reply and offer.
It is true that NFTables is a replacement for iptables, but do you think this will happen soon? There is also a command called iptables-nft to translate iptables commands to NFTables. I guess at the current stage, iptables is more mature than NFTables.
Hello,
Thank you so much for your reply and offer.
It is true that NFTables is a replacement for iptables, but do you think this will happen soon? There is also a command called iptables-nft to translate iptables commands to NFTables. I guess at the current stage, iptables is more mature than NFTables.
For me and many others, NFTables has already replaced IPTables. So I would say the replacement has already happened.
I made the switch some years ago already (perhaps five) because IPTables did not support some of the activities I needed in networking. Since most development on IPTables was abandoned long ago, I would say that NFTables is now the mature technology and that IPtables is legacy software to be decommissioned from old systems when feasible, upon system upgrade at the latest. At this point time spent on IPTables will not provide a good return on the effort.
Conversion programs were not so useful for me so I went to native NFTables as soon as I could.
These two links seem to be the best starting place:
For me and many others, NFTables has already replaced IPTables. So I would say the replacement has already happened.
I made the switch some years ago already (perhaps five) because IPTables did not support some of the activities I needed in networking. Since most development on IPTables was abandoned long ago, I would say that NFTables is now the mature technology and that IPtables is legacy software to be decommissioned from old systems when feasible, upon system upgrade at the latest. At this point time spent on IPTables will not provide a good return on the effort.
Conversion programs were not so useful for me so I went to native NFTables as soon as I could.
These two links seem to be the best starting place:
Can you tell me what problems the conversion programs gave you?
I found that they were not useful more often than not. Repairing their output took time and instead I invested that time in NFTables. It did not take long to learn NFTables. For me it turned out easier to learn than IPTables even though I have been dabbling with IPTables since its beginning.
I wrote a firewall script that blocks a few known problem areas of the net and does some other things. I can ban a host with it, and I set options to save and restore the state of iptables as functions in the shell script. Since it's under RCS, I use that to update the script. When I want to make changes, I change the script.
As far as nftables, if you don't know either iptables nor nftables, then go with nftables as stated. Those of us that learned ipchains^h ebtables^h ip6tables^h iptables aren't happy about having to learn yet another packet filtering syntax, one that looks more like a Java or C++ program than filtering rules. As such, I think iptables will still be around a long time.
I wrote a firewall script that blocks a few known problem areas of the net and does some other things. I can ban a host with it, and I set options to save and restore the state of iptables as functions in the shell script. Since it's under RCS, I use that to update the script. When I want to make changes, I change the script.
As far as nftables, if you don't know either iptables nor nftables, then go with nftables as stated. Those of us that learned ipchains^h ebtables^h ip6tables^h iptables aren't happy about having to learn yet another packet filtering syntax, one that looks more like a Java or C++ program than filtering rules. As such, I think iptables will still be around a long time.
Hello,
Thank you so much for your reply.
I agree with:
Quote:
I think iptables will still be around a long time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.