-

there is no need restart the "networking" service (which you should probably never do) just for modifying iptables rules Oo - modify them in your network/interfaces files for the next reboot, and then modify the currently loaded set at as well (with the "iptables" and friends binaries).
 
Putting them into /etc/network/interfaces is for persistence (i.e., when bringing up/down the interfaces manually or upon reboot). If you want to change rules, you don't want to bring down your interfaces (or the whole networking stack) - so you apply your changes to the currently loaded tables. That's just how it works (the pve-firewall also regenerates the rules and re-applies them upon changes).

You just have to be careful about the order of loaded rules when modifying the existing ruleset.

When you restart the networking service, you effectively kill all connections on the bridge, so it's no wonder that stuff breaks.
 
iptables-save and -restore are part of iptables, not iptables-persistent. but yes, that should work (note that your syntax is wrong, you want "iptables-save > my-rules" and "iptables-restore < my-rules"). pve-firewall might need a few seconds to reset its rules afterwards, just like when you change the firewall settings in PVE itself.
 
You must log in or register to reply here.
Top Bottom