Modifying iptables

New rules can be added at the beginning or at the end of existing chains. Adding new chains is not supported. AppGate ZTNA runs in what is called 'Overlayfs'; this is a temporary file system which is reloaded every time the system is booted. This means any changes made to iptables in the running system will not be permanent. To mitigate this there is a command available that allows permanent changes to be made to iptables:

*Add a new rule at the beginning of a chain*	`# iptables -t filter -I INPUT -m comment --comment ciao`
*Show the diff with the default iptables*	`# cz-iptables diff` `{'ip6tables': {}, 'iptables': {'filter': {'INPUT': {'insert': ['-m comment -- comment ciao']}}}}`
*Add a new rule to the end of a chain*	`# iptables -t filter -A INPUT -m comment --comment bye`
*Show the diff again*	`# cz-iptables diff` `{'iptables': {'filter': {'INPUT': {'insert': ['-m comment --comment ciao'], 'append': ['-m comment --comment bye']}}}, 'ip6tables': {}}`
*Permanently save the changes*	`# cz-iptables save`
*Permanently destroy any custom change*	`# cz-iptables flush`