LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   iptables-save doen't! (https://www.linuxquestions.org/questions/linux-general-1/iptables-save-doent-49549/)

Smerk 03-13-2003 01:31 AM

iptables-save doen't!
 
Firewall gurus!

for some reason my iptables-save doesn't seem to save!

I have a script that I have been editing to change iptable rules which works well.

I make changes then run the script & then iptables-save, which then lists the rules etc. When I reboot my router however, all the changes I have made are lost and I have to run the script again.

is this normal?

when I first started using the script it seemed to save ok...
I would also be interested to see what people think of the firewall and how secure it is!

the script is as follows:

#!/bin/sh
#
#
IPTABLES="/sbin/iptables"
OUTSIDE=ppp0
# multiple network intefaces on router so:
INSIDE=eth+
#INSIDE=eth1
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 5/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N internal
$IPTABLES -A internal -m limit --limit 5/minute -j LOG --log-prefix Internal:
$IPTABLES -A internal -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 5/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP
#
#
$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
#
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 443 -j DNAT --to 192.168.42.1
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 5190 -j ACCEPT
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#
#
# $IPTABLES -A INPUT -i $INSIDE -d 192.168.42.1 -j ACCEPT
#
# NEW CODE HERE! ##################################################
#
$IPTABLES -A INPUT -i $INSIDE -s 192.168.42.8 -d 192.168.42.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.43.7 -d 192.168.42.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.43.7 -d 192.168.43.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -d 192.168.42.1 -j internal
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 5190 -j ACCEPT
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 443 -j ACCEPT
#
$IPTABLES -A INPUT -j firewalled

dorian33 03-13-2003 08:20 AM

Hi. I think it is normal since iptable-save dumps the iptable rules to the screen. Use
iptable-save > your_file
to catch new settings to the file. The real name (and path) of 'your_file' should agree with the name of the file used in the init script (iptable-restore command parameter at /etc/rc.d/init.d/firewall script)

Smerk 03-13-2003 08:35 AM

Eggsellent!

thanks for that, I must have know that at some stage, because having looked in the location where the file is I found some other copies of the file that I must have been messing with...

looks like my old brain is getting a bit leaky.

Pcghost 03-13-2003 11:04 AM

Good script but needs more commenting...
Where you set up logging, I am not sure if it's important but usually there are quotation marks around the log prefix "INPUT :"
Not sure if it matters, it just kind of stood out.

Smerk 03-13-2003 11:39 AM

oops..
I hacked out all the commenting to cut down on post size, sorry


All times are GMT -5. The time now is 04:26 AM.