How to translate iptables rule for iptables-persistent file

[GabrieleMax]

Below you can see my /etc/iptables/rules.v4

Code: Select all

# Generated by iptables-save v1.6.2 on Fri Mar  9 19:44:53 2018
*filter
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT
COMMIT
# Completed on Fri Mar  9 19:44:53 2018
# Generated by iptables-save v1.6.2 on Fri Mar  9 19:44:53 2018
*nat
:PREROUTING ACCEPT [4:896]
:INPUT ACCEPT [4:896]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Mar  9 19:44:53 2018
# Generated by iptables-save v1.6.2 on Fri Mar  9 19:44:53 2018
*mangle
:PREROUTING ACCEPT [25906:39089741]
:INPUT ACCEPT [25906:39089741]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11879:665898]
:POSTROUTING ACCEPT [11879:665898]
COMMIT
# Completed on Fri Mar  9 19:44:53 2018

I need to add this line in the file above:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE

I add the command above (without iptables word) inside /etc/iptables/rules.v4, after it I use the command below:

Code: Select all

iptables-restore < /etc/iptables/rules.v4

The result of the command above is something like "-t" is not avalaible!

GabrieleMax

[steve_v]

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE

then

Code: Select all

iptables-save > /etc/iptables/rules.v4

One is not really supposed to edit the persistence file by hand.

[GabrieleMax]

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE

then

Code: Select all

iptables-save > /etc/iptables/rules.v4

Maybe I should also do after it to have a permanent rule:

Code: Select all

iptables-restore < /etc/iptables/rules.v4

One is not really supposed to edit the persistence file by hand.

You're right but somewhere for example here https://linode.com/docs/networking/vpn/ ... pn-server/ he does it by hand but I understood it's more easy to do it by your way!

Others think it's not good to modify default routes so someone say it's better to store a script for different rules and to load it at startup, what do you think about it?

GabrieleMax

[steve_v]

Maybe I should also do after it to have a permanent rule:

Code: Select all

iptables-restore < /etc/iptables/rules.v4

That is run at bootup anyway. Running it by hand won't make your rule any more "permanent", but it is a reasonable test to check that your rules will be applied next boot.

Others think it's not good to modify default routes so someone say it's better to store a script for different rules and to load it at startup, what do you think about it?

Whatever floats your boat. I'd use scripts if I needed to swap rulesets regularly.

[p.H]

You can insert the rule in the relevant table section, between the chain policy specification and the commit :

Code: Select all

*nat
:PREROUTING ACCEPT [4:896]
:INPUT ACCEPT [4:896]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE
COMMIT

You must strip "iptables -t <table>".

[kopper]

Since no one has pointed it out so far, you can also make your current iptables rules permanent with dpkg. Modify your rules like you'd normally do with e.g. iptables -t nat -A <whatever_you_need> and then

Code: Select all

dpkg-reconfigure iptables-persistent

You don't even have to know where the rules are stored.

[GabrieleMax]

Whatever floats your boat. I'd use scripts if I needed to swap rulesets regularly.

I understood the best way to load different ruleset is to use a file and to load it at boot because I think it could be dangerous to load everything like a default rule, I know it's more fast to load all ruleset at the same time but if I'd like to modify something it could be more easy to do it in a "external file".

Now I'd like to understand which runlevel I should use to load a file with ruleset and where it could be the best place to store it!

[GabrieleMax]

You can insert the rule in the relevant table section, between the chain policy specification and the commit :

Code: Select all

*nat
:PREROUTING ACCEPT [4:896]
:INPUT ACCEPT [4:896]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o enp0s9 -j MASQUERADE
COMMIT

You must strip "iptables -t <table>".

Thank you very much for your reply but... tell me... do you think it's the best way to store everything like a default rule or it's more "easy" to manage ruleset in a different file and to load it at boot? I know to use a external file is less fast than to load everything like a default rule but at same time this way is less "dangerous"...

[GabrieleMax]

Since no one has pointed it out so far, you can also make your current iptables rules permanent with dpkg. Modify your rules like you'd normally do with e.g. iptables -t nat -A <whatever_you_need> and then

Code: Select all

dpkg-reconfigure iptables-persistent

You don't even have to know where the rules are stored.

I didn't know it! Thanks to write it!

[p.H]

do you think it's the best way to store everything like a default rule or it's more "easy" to manage ruleset in a different file and to load it at boot? I know to use a external file is less fast than to load everything like a default rule but at same time this way is less "dangerous"...

I do not understand what you mean by "store/load everything like a default rule". There is no iptables default rule. The default iptables ruleset is empty.

Now I'd like to understand which runlevel I should use to load a file with ruleset and where it could be the best place to store it!

Systemd does not have runlevels. IMO the ruleset must be applied before configuring the network.

[GabrieleMax]

I do not understand what you mean by "store/load everything like a default rule". There is no iptables default rule. The default iptables ruleset is empty.

In my mind also a empty table is a default iptables ruleset like this:

Code: Select all

root@Server01:/home/gabriele# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Systemd does not have runlevels. IMO the ruleset must be applied before configuring the network.

Ok I understood it but... if you'd like to change iptables ruleset by an external file where could you put it and could you run it like a *.sh and chmod +x?

[p.H]

In my mind also a empty table is a default iptables ruleset like this

So I repeat my question : what do you mean by "store/load everything like a default rule" ?
If a default ruleset is an empty ruleset, it does not make sense to store/load it.

if you'd like to change iptables ruleset by an external file where could you put it and could you run it like a *.sh and chmod +x?

Anywhere you like.