How to translate iptables rule for iptables-persistent file

Kernels & Hardware, configuring network, installing services

How to translate iptables rule for iptables-persistent file

Postby GabrieleMax » 2018-03-10 12:23

Below you can see my /etc/iptables/rules.v4

Code: Select all
# Generated by iptables-save v1.6.2 on Fri Mar  9 19:44:53 2018
*filter
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT
COMMIT
# Completed on Fri Mar  9 19:44:53 2018
# Generated by iptables-save v1.6.2 on Fri Mar  9 19:44:53 2018
*nat
:PREROUTING ACCEPT [4:896]
:INPUT ACCEPT [4:896]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Mar  9 19:44:53 2018
# Generated by iptables-save v1.6.2 on Fri Mar  9 19:44:53 2018
*mangle
:PREROUTING ACCEPT [25906:39089741]
:INPUT ACCEPT [25906:39089741]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11879:665898]
:POSTROUTING ACCEPT [11879:665898]
COMMIT
# Completed on Fri Mar  9 19:44:53 2018

I need to add this line in the file above:
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE


I add the command above (without iptables word) inside /etc/iptables/rules.v4, after it I use the command below:
Code: Select all
iptables-restore < /etc/iptables/rules.v4


The result of the command above is something like "-t" is not avalaible!

GabrieleMax
GabrieleMax
 
Posts: 60
Joined: 2016-09-07 20:24
Location: Senigallia

Re: How to translate iptables rule for iptables-persistent f

Postby steve_v » 2018-03-10 13:43

Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE

then
Code: Select all
iptables-save > /etc/iptables/rules.v4

One is not really supposed to edit the persistence file by hand.
steve_v
 
Posts: 695
Joined: 2012-10-06 05:31
Location: New Zealand

Re: How to translate iptables rule for iptables-persistent f

Postby GabrieleMax » 2018-03-10 15:54

steve_v wrote:
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE

then
Code: Select all
iptables-save > /etc/iptables/rules.v4


Maybe I should also do after it to have a permanent rule:
Code: Select all
iptables-restore < /etc/iptables/rules.v4


steve_v wrote:One is not really supposed to edit the persistence file by hand.


You're right but somewhere for example here https://linode.com/docs/networking/vpn/ ... pn-server/ he does it by hand but I understood it's more easy to do it by your way!

Others think it's not good to modify default routes so someone say it's better to store a script for different rules and to load it at startup, what do you think about it?

GabrieleMax
GabrieleMax
 
Posts: 60
Joined: 2016-09-07 20:24
Location: Senigallia

Re: How to translate iptables rule for iptables-persistent f

Postby steve_v » 2018-03-10 16:41

GabrieleMax wrote:Maybe I should also do after it to have a permanent rule:
Code: Select all
iptables-restore < /etc/iptables/rules.v4
That is run at bootup anyway. Running it by hand won't make your rule any more "permanent", but it is a reasonable test to check that your rules will be applied next boot.

GabrieleMax wrote:Others think it's not good to modify default routes so someone say it's better to store a script for different rules and to load it at startup, what do you think about it?
Whatever floats your boat. I'd use scripts if I needed to swap rulesets regularly.
steve_v
 
Posts: 695
Joined: 2012-10-06 05:31
Location: New Zealand

Re: How to translate iptables rule for iptables-persistent f

Postby p.H » 2018-03-11 08:24

You can insert the rule in the relevant table section, between the chain policy specification and the commit :
Code: Select all
*nat
:PREROUTING ACCEPT [4:896]
:INPUT ACCEPT [4:896]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE
COMMIT

You must strip "iptables -t <table>".
Last edited by p.H on 2018-03-13 19:24, edited 1 time in total.
p.H
 
Posts: 645
Joined: 2017-09-17 07:12

Re: How to translate iptables rule for iptables-persistent f

Postby kopper » 2018-03-12 05:04

Since no one has pointed it out so far, you can also make your current iptables rules permanent with dpkg. Modify your rules like you'd normally do with e.g. iptables -t nat -A <whatever_you_need> and then
Code: Select all
dpkg-reconfigure iptables-persistent

You don't even have to know where the rules are stored.
Debian 9.5 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 126
Joined: 2016-09-30 14:30

Re: How to translate iptables rule for iptables-persistent f

Postby GabrieleMax » 2018-03-15 10:42

steve_v wrote:Whatever floats your boat. I'd use scripts if I needed to swap rulesets regularly.


I understood the best way to load different ruleset is to use a file and to load it at boot because I think it could be dangerous to load everything like a default rule, I know it's more fast to load all ruleset at the same time but if I'd like to modify something it could be more easy to do it in a "external file".

Now I'd like to understand which runlevel I should use to load a file with ruleset and where it could be the best place to store it!
GabrieleMax
 
Posts: 60
Joined: 2016-09-07 20:24
Location: Senigallia

Re: How to translate iptables rule for iptables-persistent f

Postby GabrieleMax » 2018-03-15 10:45

p.H wrote:You can insert the rule in the relevant table section, between the chain policy specification and the commit :
Code: Select all
*nat
:PREROUTING ACCEPT [4:896]
:INPUT ACCEPT [4:896]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE
COMMIT

You must strip "iptables -t <table>".


Thank you very much for your reply but... tell me... do you think it's the best way to store everything like a default rule or it's more "easy" to manage ruleset in a different file and to load it at boot? I know to use a external file is less fast than to load everything like a default rule but at same time this way is less "dangerous"...
GabrieleMax
 
Posts: 60
Joined: 2016-09-07 20:24
Location: Senigallia

Re: How to translate iptables rule for iptables-persistent f

Postby GabrieleMax » 2018-03-15 10:47

kopper wrote:Since no one has pointed it out so far, you can also make your current iptables rules permanent with dpkg. Modify your rules like you'd normally do with e.g. iptables -t nat -A <whatever_you_need> and then
Code: Select all
dpkg-reconfigure iptables-persistent

You don't even have to know where the rules are stored.


I didn't know it! Thanks to write it! :)
GabrieleMax
 
Posts: 60
Joined: 2016-09-07 20:24
Location: Senigallia

Re: How to translate iptables rule for iptables-persistent f

Postby p.H » 2018-03-15 11:46

GabrieleMax wrote:do you think it's the best way to store everything like a default rule or it's more "easy" to manage ruleset in a different file and to load it at boot? I know to use a external file is less fast than to load everything like a default rule but at same time this way is less "dangerous"...

I do not understand what you mean by "store/load everything like a default rule". There is no iptables default rule. The default iptables ruleset is empty.
GabrieleMax wrote:Now I'd like to understand which runlevel I should use to load a file with ruleset and where it could be the best place to store it!

Systemd does not have runlevels. IMO the ruleset must be applied before configuring the network.
p.H
 
Posts: 645
Joined: 2017-09-17 07:12

Re: How to translate iptables rule for iptables-persistent f

Postby GabrieleMax » 2018-03-15 16:22

p.H wrote:I do not understand what you mean by "store/load everything like a default rule". There is no iptables default rule. The default iptables ruleset is empty.


In my mind also a empty table is a default iptables ruleset like this:
Code: Select all
root@Server01:/home/gabriele# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT


p.H wrote:Systemd does not have runlevels. IMO the ruleset must be applied before configuring the network.


Ok I understood it but... if you'd like to change iptables ruleset by an external file where could you put it and could you run it like a *.sh and chmod +x?
GabrieleMax
 
Posts: 60
Joined: 2016-09-07 20:24
Location: Senigallia

Re: How to translate iptables rule for iptables-persistent f

Postby p.H » 2018-03-15 21:08

GabrieleMax wrote:In my mind also a empty table is a default iptables ruleset like this

So I repeat my question : what do you mean by "store/load everything like a default rule" ?
If a default ruleset is an empty ruleset, it does not make sense to store/load it.
GabrieleMax wrote:if you'd like to change iptables ruleset by an external file where could you put it and could you run it like a *.sh and chmod +x?

Anywhere you like.
p.H
 
Posts: 645
Joined: 2017-09-17 07:12


Return to System configuration

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable