Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Backing up iptables config before changing.
Backing up iptables config before changing.
I'm running Debian 8.2 and want to enable masquerading to share the Internet connection via USB 3G modem across the LAN. I've found a good reference page:
https://www.howtoforge.com/internet-con ... g-on-linux
... but it requires changing the iptables rules. I only do this sort of thing if I can save a copy of the original file.
Problem is I can't find where Deb 8.2 stores what everything refers to as /etc/sysconfig/iptables. I've looked through /etc/ and the install list of iptables but there's no indication of where the rules are stored. Nor can I find anything in Deb docn to enlighten me.
Can anyone advise where they are? Most grateful for assistance.
https://www.howtoforge.com/internet-con ... g-on-linux
... but it requires changing the iptables rules. I only do this sort of thing if I can save a copy of the original file.
Problem is I can't find where Deb 8.2 stores what everything refers to as /etc/sysconfig/iptables. I've looked through /etc/ and the install list of iptables but there's no indication of where the rules are stored. Nor can I find anything in Deb docn to enlighten me.
Can anyone advise where they are? Most grateful for assistance.
Re: Backing up iptables config before changing.
I'm not sure I agree that is a good reference page. The post and comments have no date, and use references to the 'service' command, which is used to run a System V init script. I'm not sure we do that anymore on debian? It was deprecated yrs ago for several uses, but I did it anyway......
I've found a good reference page:
...
I do think the method for adding the iptables rule for MASQUERADE is likely to work, if you allow net.ipv4.ip_forward=1 with sysctl. I haven't done this in a long while, but I think you could try it from cli without upsetting any current rules, and if things get out of whack you can just reboot, or delete all iptables rules.
Have you read the man pages for iptables and iptables-save commands?
resigned by AI ChatGPT
- cds60601
- df -h | participant
- Posts: 739
- Joined: 2017-11-25 05:58
- Location: Florida
- Has thanked: 136 times
- Been thanked: 65 times
Re: Backing up iptables config before changing.
Not sure if this is what you are looking for.
If you want to save your current IPTables rule-set - type this at a prompt
This simply lists your current rules and pipes them to a file. If you wish to load that list:
If you want to save your current IPTables rule-set - type this at a prompt
Code: Select all
iptables -L > current_iptables.txt
Code: Select all
iptables-restore < current_iptables.txt
Supercalifragilisticexpialidocious
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Backing up iptables config before changing.
NOTE: I see 2 other members replied while I was writing, so some of this may seem redundant
=============
There are all ways various ways to do something:
Will save a copy as well, "iptables.rules" could be any name you want.
Also it could be any directory you want.
to restore:
================
Also the manual, for the 'iptables' command, should calrify,... iptables is not a file where tables are stored, it is a command used to set up your iptables, which would be stored .
It is all ways a good idea to read the manual, before running any command,
including the 'iptables' command :
or
https://manpages.debian.org/stretch/ipt ... .8.en.html
Using the keywords: Will yield a lot of very useful results, some are:
https://wiki.debian.org/iptables
Sounds like you do, to some extent, but a full back up of the system, is best.
The Debian wiki tells you how, but they also neglect to mention
how to copy the existing rules:
To list the ruleset of any table, the -L switch is used. For example:
You can make a copy of that output, by doing this: Iptables.bak could be any file name you want to use. example "old-tables.txt" or what ever.
After you have the original tables saved/copied,..and after you have read the manual, you should be able to proceed, if the tables shown in your "reference page" don't work, then use the 'iptables' command to write the rules you had originally,,...as instructed in the Debian wiki:
===========
=============
There are all ways various ways to do something:
Code: Select all
# iptables-save > /etc/iptables.rules
Also it could be any directory you want.
Code: Select all
man iptables-save
to restore:
Code: Select all
man iptables-restore
Don't just read this small part that I quoted, the documentation has important details, and you need to really read it.From: https://wiki.debian.org/DebianFirewall Tables and chains
All rules, are stored on different tables.
The default table is filter, which maintain the INPUT, OUTPUT and FORWARD chains, used for incoming, outgoing and redirected traffic respectively.
Other present tables are mangle, nat and raw. You can also create and delete custom tables.
Rules and program invocation may refer to a specific table using the -t table_name switch (or --table table_name).
If no table is specified, the default table is used (the filter table).
To list the ruleset of any table, the -L switch is used. For example: ---snip--
Also the manual, for the 'iptables' command, should calrify,... iptables is not a file where tables are stored, it is a command used to set up your iptables, which would be stored .
It is all ways a good idea to read the manual, before running any command,
including the 'iptables' command :
Code: Select all
man iptables
https://manpages.debian.org/stretch/ipt ... .8.en.html
Using the keywords:
Code: Select all
where are the Iptables rules stored.on Debian 8.2
https://wiki.debian.org/iptables
Read it all, again, this quote is just a small piece. DO NOT start changing and creating tables until you fully understand what you are doing.Configuring iptables manually is challenging for the uninitiated. ---snip--
Viewing current configuration
See what rules are already configured. Issue this command:Code: Select all
iptables -L
Hmm, I don't know that it really is as good as you think, first off they do not bother to tell you the most important thing. Make a good backup, before making changes to your system, maybe they just assume you all ready know that.I've found a good reference page:
Sounds like you do, to some extent, but a full back up of the system, is best.
That reference does not tell you how to do that either, I guess they assume you know how, which would make me suspicious, What else are they neglecting to tell me ?I only do this sort of thing if I can save a copy of the original file.
The Debian wiki tells you how, but they also neglect to mention
how to copy the existing rules:
To list the ruleset of any table, the -L switch is used. For example:
Code: Select all
iptables -L
You can make a copy of that output, by doing this:
Code: Select all
iptables -L > Iptables.bak
After you have the original tables saved/copied,..and after you have read the manual, you should be able to proceed, if the tables shown in your "reference page" don't work, then use the 'iptables' command to write the rules you had originally,,...as instructed in the Debian wiki:
The manual and documentation covers all the little details, that your "good" reference", the wiki, or me, may have left out. You just need to read it all carefully.Most commonly used switches are:
-A Add this rule at the end of the defined chain.
-D Delete this rule definition from the ruleset.
-I Insert this rule at the beginning of the defined chain.
-P Change the default policy of a chain.
There are other switches, to handle chains, tables, clear rules, counters and other elements. See iptables(8) man page.
===========
Agree on this, very much,..... that is why it took me so long to write all of this, and the more I read that reference page, the less I trust it, I would NOT use it, maybe parts, but the OP should look up all of the commands it uses, use the 'man' command, double check and make sure the switches, etc are really what they want to do,... I do not use "iptables" my self, so am by no means any expert,...bw123>>I'm not sure I agree that is a good reference page. The post and comments have no date, and use references to the 'service' command, which is used to run a System V init script.
Last edited by GarryRicketson on 2018-08-30 03:02, edited 1 time in total.
"What we expect you have already Done"
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
- cds60601
- df -h | participant
- Posts: 739
- Joined: 2017-11-25 05:58
- Location: Florida
- Has thanked: 136 times
- Been thanked: 65 times
Re: Backing up iptables config before changing.
Not to hi-jack the thread, just something really quick -
LOL - Garrry, I would have never guessed you used OBSD. I shouldn't be surprised but for some reason, it just kinda caught me off-guard.
Ever do up FBSD or NBSD
LOL - Garrry, I would have never guessed you used OBSD. I shouldn't be surprised but for some reason, it just kinda caught me off-guard.
Ever do up FBSD or NBSD
Supercalifragilisticexpialidocious
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Backing up iptables config before changing.
Yes it is off topic, but any way, I tried both but they are not the same...I like OpenBsd best.
Re: Backing up iptables config before changing.
Crikey! MUCH appreciate the detailed replies, will take a little while to work through them.
I've developed a suspicion that the default iptables config is dynamically generated at boot time. Can't see this mentioned ANYWHERE in the docn, however.
I've developed a suspicion that the default iptables config is dynamically generated at boot time. Can't see this mentioned ANYWHERE in the docn, however.
Last edited by Tonto on 2018-08-30 16:12, edited 1 time in total.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Backing up iptables config before changing.
Debian's default iptables configuration is empty.Tonto wrote:the default iptables config
EDIT: https://wiki.debian.org/iptables
deadbang
Re: Backing up iptables config before changing.
> Have you read the man pages for iptables and iptables-save commands?
Yes to the first, didn't know about the second.
> Not sure if this is what you are looking for.
Yes, great and thanks, esp iptables-restore. Gives me the confidence I need to proceed.
> ... so some of this may seem redundant
Not at all. A very useful summary: most grateful.
> Debian's default iptables configuration is empty.
Hmm. But where do the rules listed by invoking iptables come from?
Thanks again guys. Very useful replies.
Yes to the first, didn't know about the second.
> Not sure if this is what you are looking for.
Yes, great and thanks, esp iptables-restore. Gives me the confidence I need to proceed.
> ... so some of this may seem redundant
Not at all. A very useful summary: most grateful.
> Debian's default iptables configuration is empty.
Hmm. But where do the rules listed by invoking iptables come from?
Thanks again guys. Very useful replies.
Re: Backing up iptables config before changing.
I'll post this separately and apologize for being a bit off-topic, but this now has me worried:
> Debian's default iptables configuration is empty.
I've always assumed that a firewall was active on my machine, and that iptables was responsible for this. But if the default config is empty, what is responsible for opening access to e.g. ports 22 (ssh) 80 (http) etc. I'd assumed that iptables took care of this, as suggested in the page that I reference and which others don't seem to like. I accept their comments and criticisms, but I learned a lot from it.
So if iptables in not responsible for opening ports - and more importantly, closing unused ones - then what is?
> Debian's default iptables configuration is empty.
I've always assumed that a firewall was active on my machine, and that iptables was responsible for this. But if the default config is empty, what is responsible for opening access to e.g. ports 22 (ssh) 80 (http) etc. I'd assumed that iptables took care of this, as suggested in the page that I reference and which others don't seem to like. I accept their comments and criticisms, but I learned a lot from it.
So if iptables in not responsible for opening ports - and more importantly, closing unused ones - then what is?
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Backing up iptables config before changing.
You can configure iptables to block or allow access to those ports, if you want, I prefer nftables myself and there may be other firewall backends.Tonto wrote:what is responsible for opening access to e.g. ports 22 (ssh) 80 (http) etc
You don't need to "close" ports unless there is a vulnerable service listening to them, this is why Debian's stock configuration is:
Code: Select all
root@hegel:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@hegel:~ #
deadbang
Re: Backing up iptables config before changing.
Thanks. Looks like I've been taking firewalls for granted when I need to get better acquainted with the topic. I've read lots of reports about "vulnerabilities", esp regarding the swathe of IoT devices now appearing, and am starting to see why the whole business is a potential minefield.