iptables-apply

iptables-apply [options] [filename]

-h, --help
    Display help message and exit

-V, --version
    Print version information and exit

-c, --check
    Validate rules without applying them

-t, --timeout <seconds>
    Revert after <seconds> if unconfirmed (default: 10)

--verbose
    Enable verbose output

--debug
    Enable debug output

--exec <command>
    Use <command> instead of iptables-restore

--immediate
    Apply rules immediately, no confirmation timeout

--exception
    Allow exceptions to revert timer (e.g., for scripts)

--skip-preamble
    Ignore preamble comments in input file

--no-restore-wait
    Don't wait for iptables-restore to complete

iptables-apply is a utility designed to safely apply sets of iptables rules from a file or standard input, minimizing the risk of locking yourself out of a system during remote administration.

It works by first saving the current ruleset using iptables-save, then comparing it against the proposed rules from the input file to generate a diff preview. The user is prompted to confirm the changes within a configurable timeout period (default 10 seconds). If confirmed, the new rules are atomically loaded via iptables-restore. If no confirmation is received or the user declines, the original ruleset is restored automatically.

This tool is particularly useful for applying complex rulesets over SSH, where a mistake could sever network access. It supports verbose and debug modes for troubleshooting, checking rules without applying them, and custom execution commands. The process ensures atomicity where possible, but interruptions during restore may require manual intervention.

Key features include exception handling for certain signals to prevent premature reversion and skipping preamble comments in input files. It's an essential tool for firewall management in production environments.

Requires root privileges. Interruptions during iptables-restore may leave inconsistent rules; test in safe environments first. Not suitable for very large rulesets due to diff overhead.

1. Saves current rules.
2. Shows diff preview.
3. Waits for 'yes' confirmation.
4. Applies new rules atomically.
5. Reverts on timeout or 'no'.

Expects standard iptables-save output. Preamble comments (lines starting with #) are optional and skippable.

Developed by Felipe Contreras and included in the iptables package starting from version 1.4.11 (2010). Evolved to support modern iptables features and nftables transition tools.

iptables(8), iptables-restore(8), iptables-save(8), ip6tables-apply(8)