iptables-save and restore rules

Others 2020-09-18 12:51:29 views: null

iptables-save and restore rules

1 Overview

iptables provides two very useful tools to deal with large rule sets: iptables-save and iptables-restore, which store the rules in a file with a special format that has only minor checks with the standard script code, or restore rules from it.

2. Advantages

One of the most important reasons for using iptables-save and iptables-restore is that they can increase the speed of loading and saving rules to a considerable extent. The problem with using scripts to change rules is that the command iptables must be deployed to change each rule, and every time iptables is called, it must first extract the entire rule set in the Netfilter kernel space, and then insert or append, or do other things. Change, and finally, insert the new rule set from its memory space into the kernel space. This will take a lot of time.
To solve this problem, you can use the commands iptables-save and restore. iptables-save is used to save the rule set to a text file in a special format, and iptables-restore is used to reload this file into the kernel space. The best part of these two commands is that you can load and save the rule set with one call, instead of calling iptables once for each rule in the script. iptables-save runs once to extract the entire rule set from the kernel and save it to a file, while iptables-restore loads one rule table at a time. In other words, for a large set of rules, if you use a script to set these rules, these rules will be uninstalled and installed many times over and over, and we can now save the entire rule set once, and then install it. It is one table at a time, which saves a lot of time.

3. Disadvantages

The main disadvantage of iptables-restore is that it cannot be used for complex rule sets. For example, we want to obtain the dynamically assigned IP address of the connection when the computer starts, and then use it in the script. This is more or less impossible to achieve with iptables-restore. Another shortcoming is that the functions are not complete enough. Because there are not too many people who use it, not many people find this problem, and some matches and targets are not considered carefully when they are quoted, which may cause unexpected behavior.

4. How to use

iptables-save is used to save the current rules into a file for use by iptables-restore.

iptables-save [-c] [-t table ]

The function of parameter -c is to save the value of packet and byte counter. This allows us to not lose statistics on packets and bytes after restarting the firewall. The iptables-save command with the -c parameter makes it possible to restart the firewall without interrupting the statistical counting program. This parameter is not used by default.
The parameter -t specifies the table to be saved, the default is to save all the tables.
Output format explanation:
# is the comment behind. All tables start with *, for example *mangle. Each table contains chains and rules. The detailed description of the chain is: [:]. For example, the name of the chain is PREROUTING, the strategy is ACCEPT, and then the packet counter and byte counter. These two counters are the same as those used in the output of iptables -L -v. The description of each table ends with the keyword COMMIT, which shows that at this point, the rules must be loaded into the kernel.
Redirection can be used to save the configuration:

iptables-save -c > /etc/iptables-save

This will save the rule set to /etc/iptables-save, and there are also counters.

iptables-restore is used to load the rule set saved by iptables-save. You can only accept input from standard input, not from files.

iptables-restore [-c] [-n]

The parameter -c requires the packet and byte counter to be loaded. If you save the counter with iptables-save and want to reload it now, you must use this parameter.
The parameter -n tells iptables-restore not to overwrite existing tables or rules in tables. The default is to clear all existing rules.

The rule set should be loaded into the kernel correctly and work normally.

Reminder:
If there is any unclear description in the above article, please comment in the comment area. If you have time, we will reply as soon as possible, thank you!

Guess you like

Origin blog.csdn.net/qq_20677327/article/details/107098070
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com