-2

I'm pretty new to networking and am trying to do some simple configuration for a server for LAN access ( SSH & HTTP ) using iptables. I'm using CentOS7 if that matters. I've been working form tutorials and they seem to suggest as the first step to flush all the existing rules. I'm working on a new CentOS install and I have a couple terminal windows of rules and I definitely don't know enough to try to restore them if I kill them and I definitely don't know what they do so I'm afraid if I kill them networking issues I don't understand will start happening or I'll open my server to security risks. In these tutorials they don't bother to explain why flushing the current rules is done. Am I OK without flushing as long as there's not another rule in place that conflicts with the ones I add at the end? If I do flush will everything be restored at restart as long as I don't use iptable's save?

Cœur
  • 37,241
  • 25
  • 195
  • 267
WebSnake
  • 62
  • 8

1 Answers1

1

Flushing the current rules is not required but sometimes it's better to start with a clean slate. Even if one doesn't want to break the current configuration, it might prove more beneficial to rebuild it entirely from scratch. That is, not just in respect to the simplicity & efficiency of the resulting configuration, but also mentally while trying to come up with the correct rules.

If one chooses to keep the current configuration and build upon it, he should bear in mind that the order of the rules matters. The -I argument can be used to insert new rules into a specific position in a specified chain, as written in iptables man page:

-I, --insert chain [rulenum] rule-specification

Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.

Before modifying anything, it is advisable to save the current configuration to a file:

iptables-save > <filename>

This file can be used later on to restore the original configuration:

iptables-resotre < <filename>

Rules created with the iptables command are stored in memory. If the system is restarted before explicitly stating otherwise, the current rule set is lost. On CentOS7, this is done by:

service iptables save

The details of this command line can be found here:

This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.

The next time the system boots, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.

Note that on CentOS7, firewalld was introduced to manage iptables. This answer explains how the classic iptables setup can be restored.

Community
  • 1
  • 1
Yoel
  • 9,144
  • 7
  • 42
  • 57