The packet filter configuration must be activated on every startup of the firewall or the managed host therefore the configuration is stored in configuration files on the machine. MS uses the iptables-utils package to handle the packet filter configuration. This package is responsible for loading the ruleset upon startup and making the administration easier by using variables. It also prevents accidental lock-out from the box by a misconfiguration. This package is a self-sufficient program and can be used separately from MS.
For managing the configuration, the iptables-utils uses four configuration files.
Iptables.conf.varThis file stores the variables which can be used in the policy. These variables are not the same as MS variables and not involved in MS-based configuration.
Iptables.conf.inThis file stores the policy itself with unresolved variables.
Iptables.conf.newThis file stores the generated configuration from the
iptables.conf.inandiptables.con.varfiles meaning that the variables are resolved here.Iptables.confThis file stores the actual configuration. The startup policy is loaded from this file.
Three small utilities are used to manage these files and all of them form part of the iptables-utils package. To generate the iptables.conf.new file iptables-gen util is used. To test the new configuration and to prevent lock-outs iptables-test is needed, which loads the policy from iptables.conf.new, lets it run for 10 seconds and then reloads the old configuration, which is assumed to be functional, from the iptables.conf file. If the configuration is working the new configuration can be made effective with the iptables-commit util, which loads the new configuration and replaces the iptables.conf file.
To control the packet filter system the /etc/init.d/iptables-utils is used. It is the init-script which also loads the configuration policy upon start-up. When starting the utils, it only loads the policy stored in the iptables.conf file. During restart, it generates a new configuration with iptables-gen and attempts to load it. In case any error occurs, it reverts back to the old configuration stored in the iptables.conf file. If it succeeds, it replaces the iptables.conf with the iptables.conf.new. For further information on the iptables-utils, see the manual page of the utility.
During the MS configuration, the iptables-utils creates the iptables.conf.in and the iptables.conf.new files on the managed hosts. Although by default there are no variables used with MS, it is possible to use them. To successfully deploy the new configuration, you have to restart the component in order to regenerate the modified and uploaded configuration.
| Warning |
|---|
|
Without restarting the component, the new configuration is not generated and the modifications are ineffective. If you manually reload iptables rules (that is, using the /etc/init.d/iptables-utils reload command, or the Packet Filter MC component), make sure to reload PNS as well. Otherwise, your packet-filtering services (PFServices) will not function. |
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu
