--On Thursday, December 01, 2005 11:51 AM -0500 Bob Kryger <bobk@xxxxxxxxx>
wrote:
In fedora, once you get the rules the way you want them, run
'/etc/init.d/iptables save' to update the /etc/sysconfig/iptables file.
I never edit the sysconfig file by hand, although I will make copies of
the file as backup.
Instead of using the path to the init script, you can use "service iptables
save". The "service" command figures out where the initscript is.
I do backup my sysconfig file before messing with the firewall, but I often
edit it once I've backed it up. The format isn't too tough to decipher.
Each line has the stuff after "iptables -t majortable -A minortablename".
The major and minor tables are in groups. The counters for each rule can
optionally appear at the beginning of the line in brackets.
The big win in using the save file over individual rule invocations is that
it gets loaded into the kernel in one gulp, with only one locking of the
kernel structure. This makes it much faster when you have a lot of rules.
Some iptables helper programs can generate 100's of rules, so this makes
your firewall loading much less painful.