3

In my OpenWRT instance, I have added iptables rules in the Input filter table, but the problem is when I turn on my system I found that the rules are deleted. What can I do so that the rules are not delete automatically.

Improve this question
4
  • 1
    What distro are you using?
    – amccormack
    Commented Jun 5, 2015 at 22:01
  • why did you add your ifconfig output? That shouldn't be necessary for this question.
    – amccormack
    Commented Jun 5, 2015 at 22:36
  • Contact your system administrator and ask them to help you instead of asking the same question twice. If you don't know who is modifying your iptables files we can't really help you. You could also try to use Google.
    – Steve DL
    Commented Jun 5, 2015 at 23:06
  • @amccormack I add to the firmware openwrt the package iptables-save and iptables-store How can help me to add the rule to the table. thanks
    – kaio
    Commented Jun 6, 2015 at 13:51

2 Answers 2

Reset to default
7

OpenWRT

There are a few ways to edit iptables in OpenWRT.

Direct use of iptables

OpenWRT will run the contents of /etc/firewall.user at startup. It is a shell script, so it'll look something like this:

root@OpenWrt:/etc# cat firewall.user 
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j DNAT --to 10.1.1.1:2222
iptables -A FORWARD -p tcp -d 10.1.1.1 --dport 2222 -j ACCEPT

Testing /etc/firewall.user

After editing the /etc/firewall.user file, you will probably want to test it. This is because you may be able to see any errors if you execute the script at start up. To test the script:

  • First, remove any rules affected by the script. A iptables -F will work, but may remove rules you don't need to test.
  • Next, run bash /etc/firewall.user. You want to see if there are any errors in the script. If you get any messages back, you probably have a typo.
  • Next, run iptables -L and ensure the rules you wanted to be added were added correctly.
  • Finally, restart the device. At this point you should expect the rules to be added just as they were last time.

iptables-save and iptables-restore

OpenWRT (along with other distros), have a iptables-save command. By running iptables-save > myrules, you will have a file that contains all that is necessary to restore your iptables rules.

iptables-restore < myrules will read a file of iptables rules and apply them.

So you would need to create a myrules file, and then run iptables-restore < myrules on bootup. You can execute on bootup by editing the /etc/rc.local file.

More information on iptables-save and iptables-restore can be found here.

Use OpenWRTs Firewall Configuration Syntax

The /etc/config/firewall file can be edited as well. The Firewall "provides a configuration interface that abstracts from the iptables system to provide a simplified configuration model that is fit for most regular purposes while enabling the user to supply needed iptables rules on his own when needed."

More information could be found here

Other Distros

Debian or Ubuntu

If you are running Debian or Ubuntu, you can try the iptables-persistent package.

sudo apt-get install iptables-persistent

The above will install the service. It will then save your rules to /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

You can get more info for Ubuntu 12.04 here, Ubuntu 14.04 here.

CentOS

If you are running CentOS, you can save the rules by running:

/sbin/service iptables save

which will save the contents of iptables to /etc/sysconfig/iptables. The previous content of /etc/sysconfig/iptables will be saved to /etc/sysconfig/iptables.save.

You can get more info here.

Improve this answer
14
  • thanks amccormack I did like you said but when I reboot I find that the rules is deleted. and i change eth0 with eth0.2.
    – kaio
    Commented Jun 5, 2015 at 22:25
  • did you put your rules in there? I just put some sample rules in there to show where they go. I'll add a note about testing.
    – amccormack
    Commented Jun 5, 2015 at 22:28
  • @ amccormack I have a project that is application is to add rules from the table in the filter web interface so I created a script that allows you to add rules in the filter table like this: try:os.system ("iptables -D INPUT -m mac-source --mac" + mac + "j DROP") except Exception as e: print e os.system ("iptables INPUT -m mac-source --mac" + mac + "j DROP") I did not add the rules manually.
    – kaio
    Commented Jun 5, 2015 at 22:39
  • As long as you are using os.system, why not use it twice. Also run a os.system("echo iptables -D INPUT -m mac-source --mac" + mac + "j DROP") >> /etc/firewall.user. Also, beware of the blatant command injection risk in your os.system usage, be sure whitelist good characters.
    – amccormack
    Commented Jun 5, 2015 at 22:42
  • I tried adding a rule in /etc/firewall.user then did ping from the pc to mac so I can do ping. # This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. iptables -A INPUT -m mac --mac-source 18:CF:5E:FE:F8:61 -j DROP ~ ~ ~ ~ ~
    – kaio
    Commented Jun 5, 2015 at 22:51
0

You can write a shell script containing all of your iptables commands, then add a line to /etc/rc.local to run the shell script automatically when the system boots. See http://bash.cyberciti.biz/firewall/linux-iptables-firewall-shell-script-for-standalone-server/ for a good tutorial on how to do this.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .