path: root/iptables/
diff options
mode: <>2019-12-04 19:18:34 +0100
committerPablo Neira Ayuso <>2019-12-05 11:44:41 +0100
commitb45b4e390341404ca019f7a0361fbbee748715a8 (patch)
tree9907304130cf7f4d19b02c6714c2f00d9dfa5cdd /iptables/
parent55719423dea23a9e89745a5707dbf110750494d9 (diff)
iptables-apply: script and manpage update
This is GW's update to iptables-apply. It does a code cleanup and adds two options: one runs a command and the other writes the sucessful rules file. I modified the script to use mktemp instead of tempfile. I also fixed a couple of hyphens in the man page addition. Arturo says: I'm not a strong supporter of this script, but there are many users of it, so better do things right and add this patch that should produce no harm anyway. This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: GW <> Signed-off-by: Laurence J. Lane <> Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'iptables/')
1 files changed, 31 insertions, 15 deletions
diff --git a/iptables/ b/iptables/
index cdc9c447..f0ed4e5f 100644
--- a/iptables/
+++ b/iptables/
@@ -1,6 +1,6 @@
.\" Title: iptables-apply
-.\" Author: Martin F. Krafft
-.\" Date: Jun 04, 2006
+.\" Author: Martin F. Krafft, GW
+.\" Date: May 10, 2010
.\" disable hyphenation
@@ -8,23 +8,37 @@
iptables-apply \- a safer way to update iptables remotely
-\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP
+\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
-iptables\-apply will try to apply a new ruleset (as output by
-iptables\-save/read by iptables\-restore) to iptables, then prompt the
-user whether the changes are okay. If the new ruleset cut the existing
-connection, the user will not be able to answer affirmatively. In this
-case, the script rolls back to the previous ruleset after the timeout
-expired. The timeout can be set with \fB\-t\fP.
+iptables\-apply will try to apply a new rulesfile (as output by
+iptables-save, read by iptables-restore) or run a command to configure
+iptables and then prompt the user whether the changes are okay. If the
+new iptables rules cut the existing connection, the user will not be
+able to answer affirmatively. In this case, the script rolls back to
+the previous working iptables rules after the timeout expires.
-When called as \fBip6tables\-apply\fP, the script will use
-ip6tables\-save/\-restore instead.
+Successfully applied rules can also be written to savefile and later used
+to roll back to this state. This can be used to implement a store last good
+configuration mechanism when experimenting with an iptables setup script:
+iptables-apply \-w /etc/network/iptables.up.rules \-c /etc/network/
+When called as ip6tables\-apply, the script will use
+ip6tables\-save/\-restore and IPv6 default values instead. Default
+value for rulesfile is '/etc/network/iptables.up.rules'.
\fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR
-Sets the timeout after which the script will roll back to the previous
+Sets the timeout in seconds after which the script will roll back
+to the previous ruleset (default: 10).
+\fB\-w\fP \fIsavefile\fR, \fB\-\-write\fP \fIsavefile\fR
+Specify the savefile where successfully applied rules will be written to
+(default if empty string is given: /etc/network/iptables.up.rules).
+\fB\-c\fP \fIruncmd\fR, \fB\-\-command\fP \fIruncmd\fR
+Run command runcmd to configure iptables instead of applying a rulesfile
+(default: /etc/network/
\fB\-h\fP, \fB\-\-help\fP
Display usage information.
@@ -36,9 +50,11 @@ Display version information.
\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
-iptables\-apply is copyright by Martin F. Krafft.
+Original iptables-apply - Copyright 2006 Martin F. Krafft <>.
+Version 1.1 - Copyright 2010 GW < or>.
-This manual page was written by Martin F. Krafft <>
+This manual page was written by Martin F. Krafft <> and
+extended by GW < or>.
Permission is granted to copy, distribute and/or modify this document
under the terms of the Artistic License 2.0.