Iptables: Are there any downsides of using the MANGLE table? Because of the way that Docker manipulates iptables, I can't reset the iptables and apply a new version of my rules without restarting Docker. Docker uses ...--prophetes.ai

Iptables: Are there any downsides of using the MANGLE table? Because of the way that Docker manipulates iptables, I can't reset the iptables and apply a new version of my rules without restarting Docker. Docker uses the tables `NAT` and `FILTER` but it doesn't touch `MANGLE`. With that in mind, I decided change my firewall script from `FILTER/INPUT` and `FILTER/OUTPUT` to `MANGLE/PREROUTING` and `MANGLE/POSTROUTING` Now I'm able to completely reset my firewall (`iptables -t mangle -F`) and apply a new set of rules without breaking/restarting Docker. So here is the question: Are there any downsides of using the `MANGLE` table the way I'm using it? My rules are very simple: Connection limit per IP, Drop some ports, Drop some protocols...

> I can't reset the iptables and apply a new version of my rules without restarting Docker.

I doubt that is correct.

## "diff" rule dump

I am not familiar with the Docker firewall configuration but you could dump the state with `iptables-save`. You could create a comment for all your rules so that they can easily be filtered.

You could then reset the rule set, restore the Docker rules, and then apply your new rules. In that order it would be easiest. How feasible that is depends on how you create your rules.

## helper chains

Another approach would be to put just one rule into the official chains which jumps to a chain where you put all your rules. Then you could reset and rebuild those helper chains. The Docker rules would not be affected.