> AFAIK, "service iptables restart" does not cut off current > connections. The stateful connections are kept by the conntrack > module, which I believe will not be cleared on a restart of iptables, > and "service iptables restart" also uses iptables-restore, which does > the changes atomically instead of one by one. > > However, don't blindly follow what I'm saying here, this is all from > memory and I might be wrong. If you really need to know it, verify it > on a test environment before you do it on the production one. > > > yes of course - thanks for all assistance