How do I save my changes to Iptables? [Archive]

View Full Version : How do I save my changes to Iptables?

oyvindk

22-02-2005, 18:15

Suppose I add some stuff to iptables by telneting to the router and adding stuff manually. The changes will then work without a reboot, but they will be lost if the router is rebooted for some reason.

How do I prevent this from happening? I've seen some references to "flashfs", but any information I'm able to find always seems to require prior knowledge, and then I'm stuck...

I'm running the latest custom firmware from Oleg, in case it matters.

Oleg

22-02-2005, 18:38

Have you read this page (http://oleg.wl500g.info/) already?

barsju

22-02-2005, 18:57

In short:
1. mkdir -p /usr/local/sbin
2. make file post-firewall and put all the changes you make there (remember to start file with #!/bin/sh)
(ex.
echo "#!/bin/sh" > post-firewall
echo "iptables -a INPUT...." >> post-firewall
...)
2.1 Test your script Ex: ./post-firewall
3. flashfs save
4. flashfs commit
5. flashfs enable
6. reboot

7. Everytime you wish to edit the post-firewall script you have to repeat steps 2-4 and 6.

Sjur

oyvindk

22-02-2005, 19:06

Thanks, both of you.

Oleg, I had seen that page before, but I'd forgotten all about it. :o

Sjur, you forgot to set the script to executable (+x) in you "recipe", but you did manage to avoid using vi.... :-)

I think I've gotten the gist of it now. I'll test it later...

barsju

22-02-2005, 19:21

Oh, yeah. chmod +x. Good.

And yes, vi is kinda picky on who its friends are ;)
Maybe I should aks if anyone has compiled another texteditor like pico or something...

Sjur

oyvindk

23-02-2005, 12:54

It worked as advertised, and my iptables for the FORWARD chain now reads:

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:6112
DROP all -- 192.168.12.105 anywhere TIME from 22:30:00 to 23:59:59 on Sun,Mon,Tue,Wed,Thu,Fri,Sat
DROP all -- 192.168.12.105 anywhere TIME from 00:00:00 to 07:00:00 on Sun,Mon,Tue,Wed,Thu,Fri,Sat
DROP all -- anywhere 192.168.12.105 TIME from 22:30:00 to 23:59:59 on Sun,Mon,Tue,Wed,Thu,Fri,Sat
DROP all -- anywhere 192.168.12.105 TIME from 00:00:00 to 07:00:00 on Sun,Mon,Tue,Wed,Thu,Fri,Sat

My sons computer is connected by wireless, and I've made a manual assignment forcing his MAC address to always be given the 192.168.12.105 IP address by the router. It seems to me I should now have prevented any packets being forwarded between the LAN and the WAN from 22:30 in the evening to 07:00 in the morning. I've used two rules for each direction to get past midnight, but maybe I could have used one rule that said to accept packets from 07:00 to 22:30 instead?

I've just used -A to add these four rules in the post-firewall script.

Oh, and one more thing: What is the purpose of the rule that says to accept udp packets to port 6112? This one is added by the router itself, and I don't know the purpose.

Oleg

23-02-2005, 13:26

Oh, and one more thing: What is the purpose of the rule that says to accept udp packets to port 6112? This one is added by the router itself, and I don't know the purpose.
Starcraft, just disable it.