Is it enough adding iptables rules without restart?

iptables

Solution 1:

For clarity, the iptables-save command's function is not to activate rules, its purpose is to save the rules for later usage. Common uses are :

iptables-save > iptables.dat

This saves the current rules to iptables.dat. You can restore this rule set with the command:

iptables-restore < iptables.dat

You can put this line in rc.local to restore the rules after reboot, because a reboot clears all rules by default.

Solution 2:

@cewebugil As far as your original question is it is sufficient to apply IPTABLE rules.The moment you apply IPTABLE rule it immediately becomes active.But it will not survive a reboot.

To be able to survive IPTABLES a reboot in your network configuration file /etc/network/interfaces file (I am referring to a Debian/Ubuntu system) you need to add some where
pre-up iptables-restore < firewall.txt

Check this thread confusion in setting up a firewall on bridge and this link http://www.debian-administration.org/articles/445

Two good practises to save your self from a lock

1) It is always a good idea while testing IPTABLES to have a cron job entry that flushes your rules every 15 minutes or so.So that if you by chance apply wrong rule after 15 minutes that rule is deleted and you can login again.That will save you from a possible lock down if some IPTABLE rule was wrong.

2) This can also be done by

 iptables-restore < iptables_rules; sleep 30; iptables-restore < clean_rules

The idea is apply the rules, wait 30 seconds and apply a set of rules to allow all access. When you execute this line, press enter a couple of times and two things can happen:

Your rules locked you out (pressing enter does not show on the screen, so wait the time to run out and they will be cleared; If your rules work and you can see the new lines on the screen, CTRL+C before the sleep ends and you're good.

Solution 3:

Yes, once you have added a rule to iptables it becomes active immediately - this is why you should be careful with your rules as it is possible to lock yourself out.

Related

How can I return a 503 status in apache without invoking external scripts
Using rsync from msysgit for binary files
crontab execution doesn't have the same environment variables as executing user
Why does this URL with excessive preceding dots resolve to an IP address?
PHP: What are the advantages of FastCGI over mod_php?
mv, rename if exists
How to keep haproxy log messages out of /var/log/syslog
How to find the Chef environment in a recipe?
Can I reuse a SSL CSR?
INSERT with SELECT
Pandas: drop a level from a multi-level column index?
When should I use the Visitor Design Pattern? [closed]