Home / server / Questions / 622309
Accepted
Kladskull
Asked: 2014-08-19 15:25:05 +0800 CST

How can I reload IPTables without interrupting existing connections?

  • 772

I will be adding and removing entries to the script below automatically (adding ports 80/443 with different IP addresses). If I run this script, I am "assuming" that connections will be uninterrupted, unless however I remove an IP. Am I correct in this thought?

Here is my script:

iptables --flush
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

iptables -A INPUT -p tcp --dport  80 -s 1.2.3.4 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 1.2.3.4 -j ACCEP

iptables -A INPUT -p tcp --dport 80 -j DROPT
iptables -A INPUT -p tcp --dport 443 -j DROP

iptables -A INPUT -j DROP
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
ubuntu

1 Answers

  1. Best Answer

    There are several methods to add new rules to current chains. For example;

    • You should write a shell script that reads ip addresses in a file and inserts them to chain.

      #!/bin/bash
for ip in `cat ipadresses.txt`
do
    iptables -I INPUT -p tcp -s $ip -m multiport --dports80,443 -j ACCEPT
done

    • You should save current rules to a file and add rules directly inside file and restore rules from this file again.

      /sbin/iptables-save > /path/to/save/iptables.rules
or
/sbin/iptables save > /path/to/save/iptables.rules

      after editing iptables.rules with any text editor you should duplicate any line and change the source ip address.

       # Generated by iptables-save v1.4.14 on Tue Aug 19 00:22:21 2014
*mangle
:PREROUTING ACCEPT [9809:4375246]
:INPUT ACCEPT [9809:4375246]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4718:585599]
:POSTROUTING ACCEPT [4718:585599]
COMMIT
# Completed on Tue Aug 19 00:22:21 2014
# Generated by iptables-save v1.4.14 on Tue Aug 19 00:22:21 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j DROP
-A INPUT -j DROP
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Tue Aug 19 00:22:21 2014
# Generated by iptables-save v1.4.14 on Tue Aug 19 00:22:21 2014
*nat
:PREROUTING ACCEPT [6:352]
:POSTROUTING ACCEPT [70:4526]
:OUTPUT ACCEPT [70:4526]
COMMIT
# Completed on Tue Aug 19 00:22:21 2014

    After editing file you should restore rules by

        iptables-restore < /path/to/save/iptables.rules

    In conclusion;

    • You dont need to flush all rules to add new ip, just insert new rule.
    • You have a general drop rule so you dont need to more rules to drop pocket which have 80 and 443 destination ports.
    • You dont need to execute iptables -I commands at every turn.
    • 3