![]() You can combine -s or -src-range with -d or -dst-range to control both the source and destination. The problem is, that a script with custom chains, ipset's and such is getting very complicated and error prone. The basics of how Docker works with iptables. systemctl disable firewalld systemctl mask firewalld Restart iptables service iptables restart Save service iptables save and reboot. The solution would be to append new rules at the end of current, then to remove the old ones, which can theoretically result in continuous ruleset in place. Since you have installed the iptables, try to disable and mask the fiewalld service and check once. Aside from that, some high throughput traffic runs in into partially restored firewall, which ends up in very bad conntrack entries, which require manual intervention to restore functionality. my suggestion to you in terms of getting the iptables-restore format would be to run your script against a VM or in a separate network namespace on the live machine and then use iptables-save to grab it. Lots of stuff breaks if there is no rule for more then 50ms. iptables-restore is guaranteed to be atomic and is thus the only reliable way to do seamless rule replacement. I can't afford to just drop all rules and reinsert them, because this is simply too slow. I have a lot of sensitive traffic, like E1 lines encapsulated into IP packets and many others. This approach works well, to some extent. I have a script which simply flushes all rules and custom chains, then reloads everything from scratch. When working with firewalls, take care not to lock yourself out. It is not possible to operate on the existing iptables configuration, by doing manual inserts/replaces or deletions. Iptables is the software firewall that is included with most Linux distributions by default. ![]() I have very complicated and long iptables script.
0 Comments
Leave a Reply. |