How do I save my changes to Iptables?

[oyvindk]

Suppose I add some stuff to iptables by telneting to the router and adding stuff manually. The changes will then work without a reboot, but they will be lost if the router is rebooted for some reason.

How do I prevent this from happening? I've seen some references to "flashfs", but any information I'm able to find always seems to require prior knowledge, and then I'm stuck...

I'm running the latest custom firmware from Oleg, in case it matters.

[Oleg]

Have you read this page already?

[barsju]

In short:
1. mkdir -p /usr/local/sbin
2. make file post-firewall and put all the changes you make there (remember to start file with #!/bin/sh)
(ex.
echo "#!/bin/sh" > post-firewall
echo "iptables -a INPUT...." >> post-firewall
...)
2.1 Test your script Ex: ./post-firewall
3. flashfs save
4. flashfs commit
5. flashfs enable
6. reboot

7. Everytime you wish to edit the post-firewall script you have to repeat steps 2-4 and 6.

Sjur

[oyvindk]

Thanks, both of you.

Oleg, I had seen that page before, but I'd forgotten all about it.

Sjur, you forgot to set the script to executable (+x) in you "recipe", but you did manage to avoid using vi.... :-)

I think I've gotten the gist of it now. I'll test it later...

[barsju]

Oh, yeah. chmod +x. Good.

And yes, vi is kinda picky on who its friends are
Maybe I should aks if anyone has compiled another texteditor like pico or something...

Sjur

[oyvindk]

It worked as advertised, and my iptables for the FORWARD chain now reads:

Code:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere           state INVALID
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere           udp dpt:6112
DROP       all  --  192.168.12.105       anywhere            TIME from 22:30:00 to 23:59:59 on Sun,Mon,Tue,Wed,Thu,Fri,Sat
DROP       all  --  192.168.12.105       anywhere            TIME from 00:00:00 to 07:00:00 on Sun,Mon,Tue,Wed,Thu,Fri,Sat
DROP       all  --  anywhere             192.168.12.105      TIME from 22:30:00 to 23:59:59 on Sun,Mon,Tue,Wed,Thu,Fri,Sat
DROP       all  --  anywhere             192.168.12.105      TIME from 00:00:00 to 07:00:00 on Sun,Mon,Tue,Wed,Thu,Fri,Sat

My sons computer is connected by wireless, and I've made a manual assignment forcing his MAC address to always be given the 192.168.12.105 IP address by the router. It seems to me I should now have prevented any packets being forwarded between the LAN and the WAN from 22:30 in the evening to 07:00 in the morning. I've used two rules for each direction to get past midnight, but maybe I could have used one rule that said to accept packets from 07:00 to 22:30 instead?

I've just used -A to add these four rules in the post-firewall script.

Oh, and one more thing: What is the purpose of the rule that says to accept udp packets to port 6112? This one is added by the router itself, and I don't know the purpose.

[Oleg]

Oh, and one more thing: What is the purpose of the rule that says to accept udp packets to port 6112? This one is added by the router itself, and I don't know the purpose.

Starcraft, just disable it.