[root@sea-fw1 ~]# /etc/init.d/iptables condrestart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter nat [ OK ]
Unloading iptables modules:
Hangs there and never moves on.
Are you really sure you want to do everything that iptables script does when restarting?
While it might seem cleaner to completely reset firewall each time you change its configuration, it has some dirty consequences.
By unloading nat (and related) contrack modules, you will loose all connection tracking information. While in some cases this might be just what you wanted to do, usually you don't want to affect existing connections. Imagine the frustration of somebody who was downloading 3GB DVD image from your FTP server. And than you restarted your firewall when his transfer was almost complete. His connection becomes history. Now imagine you had 20 such users doing transfers at the time firewall was restarted.
Also, have in mind that by doing /etc/init.d/iptables restart, there will be that small window when you do not have any firewall, and a very short period when you have firewall with no rules at all. If there's an error in new /etc/sysconfig/iptables file, you'll be left with firewall with no rules loaded.
If you are using /etc/sysconfig/iptables file to store your firewall config, just do:
# iptables-restore /etc/sysconfig/iptables
This will load rules into the kernel, while preserving all state information that existed previously (because contrack module is not unloaded).
By doing iptables-restore, the new rules will simply replace the old rules in your running firewall in a single atomic operation. If loading of new rules fails, the old rules stay in effect. Your firewall is all the time up, running and fully operational.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
