In my OpenWRT instance, I have added iptables rules in the Input filter table, but the problem is when I turn on my system I found that the rules are deleted. What can I do so that the rules are not delete automatically.
2 Answers
OpenWRT
There are a few ways to edit iptables in OpenWRT.
Direct use of iptables
OpenWRT will run the contents of /etc/firewall.user
at startup. It is a shell script, so it'll look something like this:
root@OpenWrt:/etc# cat firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j DNAT --to 10.1.1.1:2222
iptables -A FORWARD -p tcp -d 10.1.1.1 --dport 2222 -j ACCEPT
Testing /etc/firewall.user
After editing the /etc/firewall.user
file, you will probably want to test it. This is because you may be able to see any errors if you execute the script at start up. To test the script:
- First, remove any rules affected by the script. A
iptables -F
will work, but may remove rules you don't need to test. - Next, run
bash /etc/firewall.user
. You want to see if there are any errors in the script. If you get any messages back, you probably have a typo. - Next, run
iptables -L
and ensure the rules you wanted to be added were added correctly. - Finally, restart the device. At this point you should expect the rules to be added just as they were last time.
iptables-save
and iptables-restore
OpenWRT (along with other distros), have a iptables-save
command. By running iptables-save > myrules
, you will have a file that contains all that is necessary to restore your iptables rules.
iptables-restore < myrules
will read a file of iptables rules and apply them.
So you would need to create a myrules
file, and then run iptables-restore < myrules
on bootup. You can execute on bootup by editing the /etc/rc.local
file.
More information on iptables-save
and iptables-restore
can be found here.
Use OpenWRTs Firewall Configuration Syntax
The /etc/config/firewall
file can be edited as well. The Firewall "provides a configuration interface that abstracts from the iptables system to provide a simplified configuration model that is fit for most regular purposes while enabling the user to supply needed iptables rules on his own when needed."
More information could be found here
Other Distros
Debian or Ubuntu
If you are running Debian or Ubuntu, you can try the iptables-persistent
package.
sudo apt-get install iptables-persistent
The above will install the service. It will then save your rules to /etc/iptables/rules.v4
and /etc/iptables/rules.v6
.
You can get more info for Ubuntu 12.04 here, Ubuntu 14.04 here.
CentOS
If you are running CentOS, you can save the rules by running:
/sbin/service iptables save
which will save the contents of iptables to /etc/sysconfig/iptables
. The previous content of /etc/sysconfig/iptables
will be saved to /etc/sysconfig/iptables.save
.
You can get more info here.
-
thanks amccormack I did like you said but when I reboot I find that the rules is deleted. and i change eth0 with eth0.2.– kaioCommented Jun 5, 2015 at 22:25
-
did you put your rules in there? I just put some sample rules in there to show where they go. I'll add a note about testing. Commented Jun 5, 2015 at 22:28
-
@ amccormack I have a project that is application is to add rules from the table in the filter web interface so I created a script that allows you to add rules in the filter table like this: try:os.system ("iptables -D INPUT -m mac-source --mac" + mac + "j DROP") except Exception as e: print e os.system ("iptables INPUT -m mac-source --mac" + mac + "j DROP") I did not add the rules manually.– kaioCommented Jun 5, 2015 at 22:39
-
As long as you are using
os.system
, why not use it twice. Also run aos.system("echo iptables -D INPUT -m mac-source --mac" + mac + "j DROP") >> /etc/firewall.user
. Also, beware of the blatant command injection risk in youros.system
usage, be sure whitelist good characters. Commented Jun 5, 2015 at 22:42 -
I tried adding a rule in /etc/firewall.user then did ping from the pc to mac so I can do ping. # This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. iptables -A INPUT -m mac --mac-source 18:CF:5E:FE:F8:61 -j DROP ~ ~ ~ ~ ~– kaioCommented Jun 5, 2015 at 22:51
You can write a shell script containing all of your iptables commands, then add a line to /etc/rc.local to run the shell script automatically when the system boots. See http://bash.cyberciti.biz/firewall/linux-iptables-firewall-shell-script-for-standalone-server/ for a good tutorial on how to do this.
ifconfig
output? That shouldn't be necessary for this question.