[Firewall] Restart for firewall rules only

Rance Hall ranceh at gmail.com
Thu Nov 4 21:15:24 CET 2010


On Thu, Nov 4, 2010 at 2:36 PM, WC -Sx- Jones <aif-list at insecurity.org> wrote:
> On Thu, Nov 4, 2010 at 1:44 PM, Arno van Amersfoort
> <arnova at rocky.eld.leidenuniv.nl> wrote:
>> Weird. This means that one of the following is the probably cause:
>> 1) Some weird sysctl setting, set during boot time;
>> 2) Some weird kernel setting, set during compile time;
>> 3) The kernel contains some kind of patch causing this.
>>
>> I'm afraid there's isn't much we can do about this in AIF itself.
>>
>> a.
>
> Hence the reason I mentioned using AIF as the firewall but not using
> it to "restart" the firewall -- there has to be a command-line syntax
> to just restart iptables and possibly avoid flushing the NAT down the
> drain :P

I'm not certain iptables supports what you want to do.  IF it does,
then the following should work for you.

I'm reasonably sure you are going to have to write your own iptables
restart function to make this work.

iptables-save > iptables.conf

will write your current rules to a file.

you need to play with some

command that flushes iptables to the state you want, leaving nat
tables intact, find that command and run it here.

then you reload that file you saved earlier

iptables-restore < iptables.conf

You'll need to review the output of iptables-save and see if NAT
states are in the file or not.  It might make finding an appropriate
flush command irrelevant.

I'd suggest that you create a new option for your firewall init file.
I'd leave reload the way it is now, so you still have it, and come up
with a new function called reload-custom  and issue that when you get
what you want working.


More information about the Firewall mailing list