On Fri, Feb 14, 2025 at 01:23:43PM +0100, tito via Dng wrote:
> On Fri, 14 Feb 2025 12:02:39 +0000
> fraser via Dng <dng@???> wrote:
>
> > Hello list,
> >
> > Can anyone tell me how I can 'restore' (as in iptables-restore <
> > /etc/iptables/rules.v4) an iptables ruleset without iptables-restore?
> > The package seems to be missing from the repos.
> > ...
> >
> > My principle usecase is as a cronjob on a remote host: if a known,
> > good ruleset is restored from backup every 5 minutes, I am able to edit
> > any experimental ruleset safe in the knowledge that should I shut myself
> > out, it will only be for a few minutes. This seems to me to be an
> > important facility, and I assume that the 'restore' function must be
> > located elsewhere, but I cannot find it by googling.
> >
> > How do other people edit their firewall on a remote host?
> >
>
> dpkg -L iptables
> ...
>
> /usr/sbin/iptables-nft-restore
> /usr/sbin/iptables-nft-save

Yes, one may still use iptables syntax (and then in particular be able
to use ipset) which afaiui maps it all to the netfilter API (instead
of using ioctl). Some people (other than me) might prefer the nftables
syntax, but there's no technical advantage. Utilities to save/restore
rules are available for either syntax, and you might also use the
iptables-persistent package which uses iptables syntax for the
netfilter rules. Apart from using ipset, which is only available with
iptables, the syntaxes are semantically interchangeable (aka "the
same"). (And perhaps the nftables crowd has bitten the bullet by now
and extended it to handle ipset matching as well)

Ralph.