One of the largest reasons for using the iptables-save
and iptables-restore commands is that they will speed
up the loading and saving of larger rule-sets considerably. The main
problem with running a shell script that contains
iptables rules is that each invocation of
iptables within the script will first extract the
whole rule-set from the Netfilter kernel space, and after this, it will
insert or append rules, or do whatever change to the rule-set that is
needed by this specific command. Finally, it will insert the new rule-set
from its own memory into kernel space. Using a shell script, this is done
for each and every rule that we want to insert, and for each time we do
this, it takes more time to extract and insert the rule-set.
To solve this problem, there is the iptables-save and
restore commands. The iptables-save
command is used to save the rule-set into a specially formatted text-file,
and the iptables-restore command is used to load this
text-file into kernel again. The best parts of these commands is that they
will load and save the rule-set in one single request.
iptables-save will grab the whole rule-set from kernel
and save it to a file in one single movement.
iptables-restore will upload that specific rule-set to
kernel in a single movement for each table. In other words, instead of
dropping the rule-set out of kernel some 30,000 times, for really large
rule-sets, and then upload it to kernel again that many times, we can now
save the whole thing into a file in one movement and then upload the
whole thing in as little as three movements depending on how many tables
you use.
As you can understand, these tools are definitely something for you if
you are working on a huge set of rules that needs to be inserted. However,
they do have drawbacks that we will discuss more in the next section.
