PDA

View Full Version : [ubuntu] iptables-save questions



sdowney717
January 10th, 2013, 11:13 PM
scott@scott-P5QC:/$ sudo iptables-save > /etc/iptables.up.rules
bash: /etc/iptables.up.rules: Permission denied
scott@scott-P5QC:/$


looking into this I found /etc/iptables.up.rules has the same format of file as generated by iptables save command.
But no permission to do this.
Also if that file is missing, you get no network on a boot.
So how does the file /etc/iptables.up.rules get updated by the system? Does network manager do that?

some people do want to do this for some reasons.
http://serverfault.com/questions/314361/how-to-undo-iptables-save?rq=1

I have been playing with the firewall since having some issues.
File is owned by root, so I could copy it as root.

Doug S
January 11th, 2013, 07:42 AM
This command
sudo iptables-save > /etc/iptables.up.rulesdoes not work because the redirection would not have the required elevated permissions. Please verify what I am saying for yourself, by running a test example in some temporary spot. Example:
doug@doug-64:~/temp1$ sudo iptables-save > iptables.up.rules
doug@doug-64:~/temp1$ ls -l iptables*
-rw-rw-r-- 1 doug doug 4968 Jan 10 22:19 iptables.up.rulesHowever, you can do it this way:
doug@doug-64:~/temp1$ sudo iptables-save | sudo tee iptables.up.rules
# Generated by iptables-save v1.4.12 on Thu Jan 10 22:28:46 2013
*nat
... lots of stuff spewed to screen deleted ...
COMMIT
# Completed on Thu Jan 10 22:28:46 2013
doug@doug-64:~/temp1$ ls -l ipt*
-rw-r--r-- 1 root root 4968 Jan 10 22:28 iptables.up.rulesBy the way, and referring to the other thread (http://ubuntuforums.org/showthread.php?t=2103505)we were on earlier today, when I said firestarter leaves stuff behind when you don't use it anymore, this is such a file.
Also if that file is missing, you get no network on a boot.In general, that is not true.
So how does the file /etc/iptables.up.rules get updated by the system? Does network manager do that?I know that firestarter uses that file name and location. I do not know if other utilties also use it. I do not use any of those things, firestarter, gufw, ufw, network manager ...
File is owned by root, so I could copy it as root. Yes. You could save the new file that you want using your original command, but re-directing to some temporary spot, followed by copying it with sudo.

sdowney717
January 11th, 2013, 01:13 PM
I found that the iptables.up.rules file was what was loading on boots.
And what was in there was loading into iptables.
I had to undue a masquerade command to eliminate the lines from iptables so that I get a plain jane everything allowed iptables at boot.

And seriously, If that file is missing, then when the system boots, I get a message on the purple ubuntu boot screen (dots underneath) that says waiting for network configuration then after a while, waiting 60 more seconds.

like these folks here
http://ubuntuforums.org/showthread.php?t=1859799

then it eventually boots to the desktop with no networking at all.


I found an interesting mention on iptables line numbers that you can delete rules by numbers.
http://rackerhacker.com/2007/02/09/delete-single-iptables-rules/

sdowney717
January 11th, 2013, 01:15 PM
I also found out using ubuntu as a router is not a great idea.
If your computer bogs down, your client pc's can stop getting network access. Or your PC turns off.
I tried it for a while to see if it could save me buying a gigabit switch and I found I need a hardware gigabit switch.

That also eliminates iptables forwarding issues completely as each pc is responsible only for itself in the network.

sdowney717
January 11th, 2013, 02:09 PM
here is mention of saving iptables to etc/iptables.up.rules

https://apps.education.ucsb.edu/wiki/Set_up_Ubuntu_firewall

It is mentioned to do this file to load rules on a boot.
/etc/network/if-pre-up.d/iptables

but I dont have this file and the rules load on boots anyway.

So how do you think it is loading the rules on a boot?

Doug S
January 11th, 2013, 08:55 PM
here is mention of saving iptables to etc/iptables.up.rules
https://apps.education.ucsb.edu/wiki/Set_up_Ubuntu_firewall
It is mentioned to do this file to load rules on a boot.
/etc/network/if-pre-up.d/iptables
but I dont have this file and the rules load on boots anyway.
So how do you think it is loading the rules on a boot?That is just one way of doing it, but there are countless other ways to do it. You will have to search around your computer to find it. Some do it via the rc.local file, some (including me) via the /etc/network/interfaces file...

If I did not know what was actually loading the file during boot, but I knew the file name, I might try this command:
doug@doug-64:/etc$ sudo find . -type f -name "*" -exec grep -i -H 'doug_firewall' {} \;
[sudo] password for doug:
./network/interfaces:pre-up /home/doug/init/doug_firewallWhere in my case the file name is doug_firewall, and you can see that the related file is /etc/network/interfaces.


And seriously, If that file is missing, then when the system boots, I get a message on the purple ubuntu boot screen (dots underneath) that says waiting for network configuration then after a while, waiting 60 more seconds.
like these folks here
http://ubuntuforums.org/showthread.php?t=1859799
I looked through the link you gave, 51 posts, but I could not find any reference to "iptables.up.rules", so I don't understand the reference. I say again, in general, not doing anything with iptables during boot will not effect the network coming up. In your case it does, O.K. but I have no clue why.

I also found out using ubuntu as a router is not a great idea.
If your computer bogs down, your client pc's can stop getting network access. Or your PC turns off.
It works fine for me. However, I only use Ubuntu server edition, no GUI stuff.