On the other hand, if your requirement is to block or permit large numbers of IP addresses you would be better looking at an IP set.
Also, a package called iptables-services can be installed and if started (service name: iptables ), you can check if it's running or not. Iptables -D INPUT -j "$old" # Remove old chain Under CentOS7 you have firewalld installed by default, and you can check its status by running systemctl status firewalld. Iptables -I INPUT 1 -j "$chain" # Add new chain in correct position Then old=$(iptables -L INPUT | awk '$1 ~ /^mychain_+$/ ') Iptables -A "$chain" …rule… # and its rules For example, chain="mychain_$(date +%s)" # One second granularity You would probably want dynamic chain names for this. If you really want to have these added as a single entity as if it were in a transaction, you could create the chain, add your rules to that chain, and then insert that chain into INPUT, removing the previous instance immediately afterwards.
Now you can flush and add the frequently changing rules in mychain without affecting the rules in INPUT: iptables -F mychain Iptables -A INPUT …other rules… # Append other rules as before
Iptables -A INPUT mychain # Insert it into INPUT If there are specific rules that need to be updated regularly, I would put them in a separate chain, calling that chain from INPUT in an appropriate slot iptables -N mychain # Create new chain "mychain"
0 kommentar(er)
