Iptables-save/iptables-restore

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

iptables-save/iptables-restore vs Individual Commands

One of the biggest reasons for using the iptables-save and iptables-restore commands is that they will speed up the loading and saving of larger rule-sets considerably. The main problem with running a shell script that contains iptables rules is that each invocation of iptables within the script will first extract the whole rule-set from the Netfilter kernel space, and after this, it will insert or append rules, or do whatever change to the rule-set that is needed by this specific command. Finally, it will insert the new rule-set from its own memory into kernel space. Using a shell script, this is done for each and every rule that we want to insert, and for each time we do this, it takes more time to extract and insert the rule-set.

iptables-save/iptables-restore will load and save the rule-set in one single request. iptables-save will grab the whole rule-set from kernel and save it to a file in one single movement. iptables-restore will upload that specific rule-set to kernel in a single movement for each table. In other words, instead of dropping the rule-set out of kernel some 30,000 times, for really large rule-sets, and then upload it to kernel again that many times, we can now save the whole thing into a file in one movement and then upload the whole thing in as little as three movements depending on how many tables you use.

iptables-restore has drawbacks - for example it cannot insert dynamic values, which is possible using individual iptables commands.

Dump the Current Content so it Can Be Reused Later

iptables-save dumps the content at stdout, in the format that can be used directly in the configuration file.

iptables-save > 2013.04.13-iptables.cfg

Configure from a Previously Saved Configuration File

iptables-restore < 2013.04.13-iptables.cfg

By default iptables-restore will flush the tables before rebuilding them.

The values between [:] are packet/byte counters, which can be saved and restored between reboots.