Backing up iptables config before changing.

[Tonto]

I'm running Debian 8.2 and want to enable masquerading to share the Internet connection via USB 3G modem across the LAN. I've found a good reference page:

https://www.howtoforge.com/internet-con ... g-on-linux

... but it requires changing the iptables rules. I only do this sort of thing if I can save a copy of the original file.

Problem is I can't find where Deb 8.2 stores what everything refers to as /etc/sysconfig/iptables. I've looked through /etc/ and the install list of iptables but there's no indication of where the rules are stored. Nor can I find anything in Deb docn to enlighten me.

Can anyone advise where they are? Most grateful for assistance.

[bw123]

...
I've found a good reference page:
...

I'm not sure I agree that is a good reference page. The post and comments have no date, and use references to the 'service' command, which is used to run a System V init script. I'm not sure we do that anymore on debian? It was deprecated yrs ago for several uses, but I did it anyway...

I do think the method for adding the iptables rule for MASQUERADE is likely to work, if you allow net.ipv4.ip_forward=1 with sysctl. I haven't done this in a long while, but I think you could try it from cli without upsetting any current rules, and if things get out of whack you can just reboot, or delete all iptables rules.

Have you read the man pages for iptables and iptables-save commands?

[cds60601]

Not sure if this is what you are looking for.
If you want to save your current IPTables rule-set - type this at a prompt

Code: Select all

iptables -L > current_iptables.txt

This simply lists your current rules and pipes them to a file. If you wish to load that list:

Code: Select all

iptables-restore < current_iptables.txt

[GarryRicketson]

NOTE: I see 2 other members replied while I was writing, so some of this may seem redundant
=============
There are all ways various ways to do something:

Code: Select all

# iptables-save > /etc/iptables.rules 

Will save a copy as well, "iptables.rules" could be any name you want.
Also it could be any directory you want.

Code: Select all

man iptables-save

to restore:

Code: Select all

 man iptables-restore

================

From: https://wiki.debian.org/DebianFirewall Tables and chains

All rules, are stored on different tables.

The default table is filter, which maintain the INPUT, OUTPUT and FORWARD chains, used for incoming, outgoing and redirected traffic respectively.

Other present tables are mangle, nat and raw. You can also create and delete custom tables.

Rules and program invocation may refer to a specific table using the -t table_name switch (or --table table_name).

If no table is specified, the default table is used (the filter table).

To list the ruleset of any table, the -L switch is used. For example: ---snip--

Don't just read this small part that I quoted, the documentation has important details, and you need to really read it.
Also the manual, for the 'iptables' command, should calrify,... iptables is not a file where tables are stored, it is a command used to set up your iptables, which would be stored .
It is all ways a good idea to read the manual, before running any command,
including the 'iptables' command :

Code: Select all

man iptables

or
https://manpages.debian.org/stretch/ipt ... .8.en.html

Using the keywords:

Code: Select all

where are the Iptables rules stored.on Debian 8.2

Will yield a lot of very useful results, some are:
https://wiki.debian.org/iptables

Configuring iptables manually is challenging for the uninitiated. ---snip--

Viewing current configuration

See what rules are already configured. Issue this command:

Code: Select all

 iptables -L 

Read it all, again, this quote is just a small piece. DO NOT start changing and creating tables until you fully understand what you are doing.

I've found a good reference page:

Hmm, I don't know that it really is as good as you think, first off they do not bother to tell you the most important thing. Make a good backup, before making changes to your system, maybe they just assume you all ready know that.
Sounds like you do, to some extent, but a full back up of the system, is best.

I only do this sort of thing if I can save a copy of the original file.

That reference does not tell you how to do that either, I guess they assume you know how, which would make me suspicious, What else are they neglecting to tell me ?
The Debian wiki tells you how, but they also neglect to mention
how to copy the existing rules:
To list the ruleset of any table, the -L switch is used. For example:

Code: Select all

 iptables -L 

You can make a copy of that output, by doing this:

Code: Select all

iptables -L > Iptables.bak 

Iptables.bak could be any file name you want to use. example "old-tables.txt" or what ever.
After you have the original tables saved/copied,..and after you have read the manual, you should be able to proceed, if the tables shown in your "reference page" don't work, then use the 'iptables' command to write the rules you had originally,,...as instructed in the Debian wiki:

Most commonly used switches are:

-A Add this rule at the end of the defined chain.
-D Delete this rule definition from the ruleset.
-I Insert this rule at the beginning of the defined chain.
-P Change the default policy of a chain.
There are other switches, to handle chains, tables, clear rules, counters and other elements. See iptables(8) man page.

The manual and documentation covers all the little details, that your "good" reference", the wiki, or me, may have left out. You just need to read it all carefully.
===========

bw123>>I'm not sure I agree that is a good reference page. The post and comments have no date, and use references to the 'service' command, which is used to run a System V init script.

Agree on this, very much,..... that is why it took me so long to write all of this, and the more I read that reference page, the less I trust it, I would NOT use it, maybe parts, but the OP should look up all of the commands it uses, use the 'man' command, double check and make sure the switches, etc are really what they want to do,... I do not use "iptables" my self, so am by no means any expert,...

[cds60601]

Not to hi-jack the thread, just something really quick -
LOL - Garrry, I would have never guessed you used OBSD. I shouldn't be surprised but for some reason, it just kinda caught me off-guard.
Ever do up FBSD or NBSD

[GarryRicketson]

Yes it is off topic, but any way, I tried both but they are not the same...I like OpenBsd best.

[Tonto]

Crikey! MUCH appreciate the detailed replies, will take a little while to work through them.

I've developed a suspicion that the default iptables config is dynamically generated at boot time. Can't see this mentioned ANYWHERE in the docn, however.

[Head_on_a_Stick]

the default iptables config

Debian's default iptables configuration is empty.

EDIT: https://wiki.debian.org/iptables

[Tonto]

> Have you read the man pages for iptables and iptables-save commands?

Yes to the first, didn't know about the second.

> Not sure if this is what you are looking for.

Yes, great and thanks, esp iptables-restore. Gives me the confidence I need to proceed.

> ... so some of this may seem redundant

Not at all. A very useful summary: most grateful.

> Debian's default iptables configuration is empty.

Hmm. But where do the rules listed by invoking iptables come from?

Thanks again guys. Very useful replies.

[Tonto]

I'll post this separately and apologize for being a bit off-topic, but this now has me worried:

> Debian's default iptables configuration is empty.

I've always assumed that a firewall was active on my machine, and that iptables was responsible for this. But if the default config is empty, what is responsible for opening access to e.g. ports 22 (ssh) 80 (http) etc. I'd assumed that iptables took care of this, as suggested in the page that I reference and which others don't seem to like. I accept their comments and criticisms, but I learned a lot from it.

So if iptables in not responsible for opening ports - and more importantly, closing unused ones - then what is?

[Head_on_a_Stick]

what is responsible for opening access to e.g. ports 22 (ssh) 80 (http) etc

You can configure iptables to block or allow access to those ports, if you want, I prefer nftables myself and there may be other firewall backends.

You don't need to "close" ports unless there is a vulnerable service listening to them, this is why Debian's stock configuration is:

Code: Select all

root@hegel:~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@hegel:~ #

^ It allows all connections from anywhere to anywhere.

[Tonto]

Thanks. Looks like I've been taking firewalls for granted when I need to get better acquainted with the topic. I've read lots of reports about "vulnerabilities", esp regarding the swathe of IoT devices now appearing, and am starting to see why the whole business is a potential minefield.