New rules can be added at the beginning or at the end of existing chains. Adding new chains is not supported. Appgate SDP runs in what is called 'Overlayfs'; this is a temporary file system which is reloaded every time the system is booted. This means any changes made to iptables in the running system will be non-permanent. To mitigate this there is a command available that allows permanent changes to be made to iptables:
Add a new rule at the beginning of a chain
# iptables -t filter -I INPUT -m comment --comment ciao
Show the diff with the default iptables
# cz-iptables diff
{'ip6tables': {}, 'iptables': {'filter': {'INPUT': {'insert': ['-m comment --
comment ciao']}}}}
Add a new rule to the end of a chain
# iptables -t filter -A INPUT -m comment --comment bye
Show the diff again
# cz-iptables diff
{'iptables': {'filter': {'INPUT': {'insert': ['-m comment --comment ciao'],
'append': ['-m comment --comment bye']}}}, 'ip6tables': {}}
Permanently save the changes
# cz-iptables save
Permanently destroy any custom change
# cz-iptables flush