How can I reload IPTables without interrupting existing connections?
11,281
There are several methods to add new rules to current chains. For example;
You should write a shell script that reads ip addresses in a file and inserts them to chain.
#!/bin/bash for ip in `cat ipadresses.txt` do iptables -I INPUT -p tcp -s $ip -m multiport --dports80,443 -j ACCEPT doneYou should save current rules to a file and add rules directly inside file and restore rules from this file again.
/sbin/iptables-save > /path/to/save/iptables.rules or /sbin/iptables save > /path/to/save/iptables.rulesafter editing iptables.rules with any text editor you should duplicate any line and change the source ip address.
# Generated by iptables-save v1.4.14 on Tue Aug 19 00:22:21 2014 *mangle :PREROUTING ACCEPT [9809:4375246] :INPUT ACCEPT [9809:4375246] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4718:585599] :POSTROUTING ACCEPT [4718:585599] COMMIT # Completed on Tue Aug 19 00:22:21 2014 # Generated by iptables-save v1.4.14 on Tue Aug 19 00:22:21 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j DROP -A INPUT -j DROP -A INPUT -j LOG -A INPUT -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT # Completed on Tue Aug 19 00:22:21 2014 # Generated by iptables-save v1.4.14 on Tue Aug 19 00:22:21 2014 *nat :PREROUTING ACCEPT [6:352] :POSTROUTING ACCEPT [70:4526] :OUTPUT ACCEPT [70:4526] COMMIT # Completed on Tue Aug 19 00:22:21 2014
After editing file you should restore rules by
iptables-restore < /path/to/save/iptables.rules
In conclusion;
- You dont need to flush all rules to add new ip, just insert new rule.
- You have a general drop rule so you dont need to more rules to drop pocket which have 80 and 443 destination ports.
- You dont need to execute iptables -I commands at every turn.
Related videos on Youtube
11 : 09
Computer Networking Tutorial - 40 - iptables Firewall Rules
34 : 05
iptables Demystified - Port Redirection and Forwarding HTTP Traffic to another machine (part 1)
31 : 02
iptables Complete Guide | HackerSploit Linux Security
02 : 52
How to cleanly and silently reload iptables rules? (5 Solutions!!)
02 : 26
DevOps & SysAdmins: How can I reload IPTables without interrupting existing connections?
Author by
Mike Curry
Updated on September 18, 2022Comments
-
Mike Curry over 1 year
I will be adding and removing entries to the script below automatically (adding ports 80/443 with different IP addresses). If I run this script, I am "assuming" that connections will be uninterrupted, unless however I remove an IP. Am I correct in this thought?
Here is my script:
iptables --flush iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport 80 -s 1.2.3.4 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -s 1.2.3.4 -j ACCEP iptables -A INPUT -p tcp --dport 80 -j DROPT iptables -A INPUT -p tcp --dport 443 -j DROP iptables -A INPUT -j DROP iptables -A OUTPUT -j ACCEPT iptables -A INPUT -j LOG iptables -A INPUT -j REJECT