Backing up iptables config before changing.

Kernels & Hardware, configuring network, installing services

Backing up iptables config before changing.

Postby Tonto » 2018-08-30 00:48

I'm running Debian 8.2 and want to enable masquerading to share the Internet connection via USB 3G modem across the LAN. I've found a good reference page:

https://www.howtoforge.com/internet-con ... g-on-linux

... but it requires changing the iptables rules. I only do this sort of thing if I can save a copy of the original file.

Problem is I can't find where Deb 8.2 stores what everything refers to as /etc/sysconfig/iptables. I've looked through /etc/ and the install list of iptables but there's no indication of where the rules are stored. Nor can I find anything in Deb docn to enlighten me.

Can anyone advise where they are? Most grateful for assistance.
Tonto
 
Posts: 8
Joined: 2015-11-02 20:30

Re: Backing up iptables config before changing.

Postby bw123 » 2018-08-30 01:41

...
I've found a good reference page:
...


I'm not sure I agree that is a good reference page. The post and comments have no date, and use references to the 'service' command, which is used to run a System V init script. I'm not sure we do that anymore on debian? It was deprecated yrs ago for several uses, but I did it anyway...

I do think the method for adding the iptables rule for MASQUERADE is likely to work, if you allow net.ipv4.ip_forward=1 with sysctl. I haven't done this in a long while, but I think you could try it from cli without upsetting any current rules, and if things get out of whack you can just reboot, or delete all iptables rules.

Have you read the man pages for iptables and iptables-save commands?
User avatar
bw123
 
Posts: 3572
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Backing up iptables config before changing.

Postby cds60601 » 2018-08-30 01:44

Not sure if this is what you are looking for.
If you want to save your current IPTables rule-set - type this at a prompt

Code: Select all
iptables -L > current_iptables.txt


This simply lists your current rules and pipes them to a file. If you wish to load that list:

Code: Select all
iptables-restore < current_iptables.txt
Yeah, 220, 221. Whatever it takes.
Server: Debian 9 (Stretch) Workstation: Archlinux
User avatar
cds60601
 
Posts: 136
Joined: 2017-11-25 05:58

Re: Backing up iptables config before changing.

Postby GarryRicketson » 2018-08-30 02:36

NOTE: I see 2 other members replied while I was writing, so some of this may seem redundant
=============
There are all ways various ways to do something:
Code: Select all
# iptables-save > /etc/iptables.rules

Will save a copy as well, "iptables.rules" could be any name you want.
Also it could be any directory you want.
Code: Select all
man iptables-save

to restore:
Code: Select all
 man iptables-restore

================

From: https://wiki.debian.org/DebianFirewall Tables and chains

All rules, are stored on different tables.

The default table is filter, which maintain the INPUT, OUTPUT and FORWARD chains, used for incoming, outgoing and redirected traffic respectively.

Other present tables are mangle, nat and raw. You can also create and delete custom tables.

Rules and program invocation may refer to a specific table using the -t table_name switch (or --table table_name).

If no table is specified, the default table is used (the filter table).

To list the ruleset of any table, the -L switch is used. For example: ---snip--

Don't just read this small part that I quoted, the documentation has important details, and you need to really read it.
Also the manual, for the 'iptables' command, should calrify,... iptables is not a file where tables are stored, it is a command used to set up your iptables, which would be stored .
It is all ways a good idea to read the manual, before running any command,
including the 'iptables' command :
Code: Select all
man iptables

or
https://manpages.debian.org/stretch/iptables/iptables.8.en.html

Using the keywords:
Code: Select all
where are the Iptables rules stored.on Debian 8.2
Will yield a lot of very useful results, some are:
https://wiki.debian.org/iptables
Configuring iptables manually is challenging for the uninitiated. ---snip--

Viewing current configuration

See what rules are already configured. Issue this command:
Code: Select all
 iptables -L

Read it all, again, this quote is just a small piece. DO NOT start changing and creating tables until you fully understand what you are doing.

I've found a good reference page:

Hmm, I don't know that it really is as good as you think, first off they do not bother to tell you the most important thing. Make a good backup, before making changes to your system, maybe they just assume you all ready know that.
Sounds like you do, to some extent, but a full back up of the system, is best.
I only do this sort of thing if I can save a copy of the original file.

That reference does not tell you how to do that either, I guess they assume you know how, which would make me suspicious, What else are they neglecting to tell me ?
The Debian wiki tells you how, but they also neglect to mention
how to copy the existing rules:
To list the ruleset of any table, the -L switch is used. For example:
Code: Select all
 iptables -L

You can make a copy of that output, by doing this:
Code: Select all
iptables -L > Iptables.bak
Iptables.bak could be any file name you want to use. example "old-tables.txt" or what ever.
After you have the original tables saved/copied,..and after you have read the manual, you should be able to proceed, if the tables shown in your "reference page" don't work, then use the 'iptables' command to write the rules you had originally,,...as instructed in the Debian wiki:
Most commonly used switches are:

-A Add this rule at the end of the defined chain.
-D Delete this rule definition from the ruleset.
-I Insert this rule at the beginning of the defined chain.
-P Change the default policy of a chain.
There are other switches, to handle chains, tables, clear rules, counters and other elements. See iptables(8) man page.


The manual and documentation covers all the little details, that your "good" reference", the wiki, or me, may have left out. You just need to read it all carefully.
===========
bw123>>I'm not sure I agree that is a good reference page. The post and comments have no date, and use references to the 'service' command, which is used to run a System V init script.

Agree on this, very much,..... that is why it took me so long to write all of this, and the more I read that reference page, the less I trust it, I would NOT use it, maybe parts, but the OP should look up all of the commands it uses, use the 'man' command, double check and make sure the switches, etc are really what they want to do,... I do not use "iptables" my self, so am by no means any expert,...
Last edited by GarryRicketson on 2018-08-30 03:02, edited 1 time in total.
User avatar
GarryRicketson
 
Posts: 5186
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Backing up iptables config before changing.

Postby cds60601 » 2018-08-30 02:49

Not to hi-jack the thread, just something really quick -
LOL - Garrry, I would have never guessed you used OBSD. I shouldn't be surprised but for some reason, it just kinda caught me off-guard.
Ever do up FBSD or NBSD
Yeah, 220, 221. Whatever it takes.
Server: Debian 9 (Stretch) Workstation: Archlinux
User avatar
cds60601
 
Posts: 136
Joined: 2017-11-25 05:58

Re: Backing up iptables config before changing.

Postby GarryRicketson » 2018-08-30 03:07

Yes it is off topic, but any way, I tried both but they are not the same...I like OpenBsd best.
User avatar
GarryRicketson
 
Posts: 5186
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Backing up iptables config before changing.

Postby Tonto » 2018-08-30 04:23

Crikey! MUCH appreciate the detailed replies, will take a little while to work through them.

I've developed a suspicion that the default iptables config is dynamically generated at boot time. Can't see this mentioned ANYWHERE in the docn, however.
Last edited by Tonto on 2018-08-30 16:12, edited 1 time in total.
Tonto
 
Posts: 8
Joined: 2015-11-02 20:30

Re: Backing up iptables config before changing.

Postby Head_on_a_Stick » 2018-08-30 05:02

Tonto wrote:the default iptables config

Debian's default iptables configuration is empty.

EDIT: https://wiki.debian.org/iptables
dbruce wrote:Ubuntu forums try to be like a coffee shop in Seattle. Debian forums strive for the charm and ambience of a skinhead bar in Bacau. We intend to keep it that way.
User avatar
Head_on_a_Stick
 
Posts: 8315
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Backing up iptables config before changing.

Postby Tonto » 2018-08-30 15:46

> Have you read the man pages for iptables and iptables-save commands?

Yes to the first, didn't know about the second.

> Not sure if this is what you are looking for.

Yes, great and thanks, esp iptables-restore. Gives me the confidence I need to proceed.

> ... so some of this may seem redundant

Not at all. A very useful summary: most grateful.

> Debian's default iptables configuration is empty.

Hmm. But where do the rules listed by invoking iptables come from?

Thanks again guys. Very useful replies.
Tonto
 
Posts: 8
Joined: 2015-11-02 20:30

Re: Backing up iptables config before changing.

Postby Tonto » 2018-08-30 17:48

I'll post this separately and apologize for being a bit off-topic, but this now has me worried:

> Debian's default iptables configuration is empty.

I've always assumed that a firewall was active on my machine, and that iptables was responsible for this. But if the default config is empty, what is responsible for opening access to e.g. ports 22 (ssh) 80 (http) etc. I'd assumed that iptables took care of this, as suggested in the page that I reference and which others don't seem to like. I accept their comments and criticisms, but I learned a lot from it.

So if iptables in not responsible for opening ports - and more importantly, closing unused ones - then what is?
Tonto
 
Posts: 8
Joined: 2015-11-02 20:30

Re: Backing up iptables config before changing.

Postby Head_on_a_Stick » 2018-08-30 18:15

Tonto wrote:what is responsible for opening access to e.g. ports 22 (ssh) 80 (http) etc

You can configure iptables to block or allow access to those ports, if you want, I prefer nftables myself and there may be other firewall backends.

You don't need to "close" ports unless there is a vulnerable service listening to them, this is why Debian's stock configuration is:
Code: Select all
root@hegel:~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@hegel:~ #

^ It allows all connections from anywhere to anywhere.
dbruce wrote:Ubuntu forums try to be like a coffee shop in Seattle. Debian forums strive for the charm and ambience of a skinhead bar in Bacau. We intend to keep it that way.
User avatar
Head_on_a_Stick
 
Posts: 8315
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Backing up iptables config before changing.

Postby Tonto » 2018-08-30 21:32

Thanks. Looks like I've been taking firewalls for granted when I need to get better acquainted with the topic. I've read lots of reports about "vulnerabilities", esp regarding the swathe of IoT devices now appearing, and am starting to see why the whole business is a potential minefield.
Tonto
 
Posts: 8
Joined: 2015-11-02 20:30


Return to System configuration

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable