iptables best practice... or paranoia...

[CaViCcHi]

Hi guys,

I was wondering something about iptables and if what I'm about to say is a big "no-no"

is it bad practice to flush and restore/load all your rules anew? of course it's done via script so, once one is done the other one starts, so maybe a second total.

but then I wondered, what about that split second where the firewall is basically off? I mean I know I don't work at NORAD so... it's not a big deal. But still I do wonder if it's something people do... and it's just a "bad practice" when your infrastructure is at actual risk

thanks

[TrevorH]

It's definitely bad practice if you have rules that use connection tracking as stop/start of iptables kills all record of those established connections and they have to be reconnected.

[jlehtone]

Is the netfilter ever actually "off"? All we do with iptables is to add or remove rules.

There is always the default for each builtin chain, although that is "accept" by default.
If those are set to "deny" before network starts and never changed, then the only
things that get through are by explicit rules.

After flushing all chains, and before adding new rules, all packages do drop as per
our default deny. Yes, that should more or less massacre existing connections.

If you do add rules with a script, they activate one at a time and the order makes a difference.
Cf. the iptables.service loads a whole ruleset atomically.


Yes, the default of "accept" is "bad practice".
Tampering with netfilter rules without profound understanding is also bad practice.


PS. The CentOS 7 has firewalld.service and thus you don't have to touch iptables.service or
iptables for tampering the netfilter.