3

I've just read about iptables-persistent and I'm completely lost w.r.t. the design. I'm not the only one, who didn't understand how it works, but actually it seems to be way beyond my imagination.

I imagined something like crontab -e: You edit a set of rules and they get persisted and applied when the editor gets closed. They get stored somewhere and I as a user have no idea where. Don't tell me; it's perfect this way.

Is there such a tool? Why does iptables-persistent work in this hard to follow way?

Community
  • 1
maaartinus
  • 5,059
  • There's nothing hard about iptables-persistent:
    1. sudo apt-get install iptables-persistent
    2. sudo iptables-save | sudo tee -a /etc/iptables/rules.v4

    That's all.

     – user84207 Jul 21 '23 at 00:24

3 Answers3

9

In general, you can edit the active iptables rules for IPv4 with a text editor by using the iptables-save command to write the rules to a file and then using the iptables-restore command to reload the new rules after you're done, e.g.:

user@host:~$ iptables-save > rules.v4
user@host:~$ vim rules.v4
user@host:~$ iptables-restore rules.v4

For IPv6 you would use the analogous commands ip6tables-save and ip6tables-restore, i.e.:

user@host:~$ ip6tables-save > rules.v6
user@host:~$ vim rules.v6
user@host:~$ ip6tables-restore rules.v6

The iptables-persistent service checks in the following locations:

/etc/iptables/rules.v4
/etc/iptables/rules.v6

So to apply your rules and have them persist you would follow the same steps as above, but edit the iptables-persistent files instead, e.g.:

user@host:~$ iptables-save > /etc/iptables/rules.v4
user@host:~$ vim /etc/iptables/rules.v4
user@host:~$ iptables-restore /etc/iptables/rules.v4

I don't know of an interactive command for editing iptables rules like what you're describing, but it should be pretty easy to roll your own. Here is a simple example:

#!/usr/bin/env bash

# iptables-e.sh

# Create a temporary file to store the new rules
TEMPFILE=$(mktemp)

# Save the current rules to a file
iptables-save > "${TEMPFILE}"

# Edit the rules interactively with a text editor
"${EDITOR}" "${TEMPFILE}" 

# Try to load the rules and update the persistent rules if no errors occur
iptables-restore "${TEMPFILE}" && cat "${TEMPFILE}" > /etc/iptables/rules.v4

This actually isn't too much different from how crontab -e works, which just automatically saves the active crontab to a file in the /var/spool/cron/crontabs directory, which is what causes the crontab to be persistent. See the following post for further discussion of this subject:

You might also be interested in the following script:

I can't vouch for it though. I've never used it. It's just the only thing I found by searching for interactive iptables editing.

igal
  • 9,886
  • You basically say DIY, but yes, it's easy how you described it. Any idea why IP4 and IP6 need an own file each? Would it make sense to combine them? – maaartinus Dec 09 '17 at 12:40
  • @maaartinus No, you can't combine them. They're different - similar, but different. – igal Dec 09 '17 at 13:31
  • @maaartinus Depending on your firewall rules you might be able to use the same file for both, but this wouldn't be true in general. – igal Dec 09 '17 at 13:50
  • @maaartinus There's also a good chance that you can just disable IPv4 and be fine. IPv4 still represents the overwhelming majority of Internet traffic. – igal Dec 09 '17 at 14:11
  • Your last sentence contradicts itself. You mean to disable IPv6, right? – maaartinus Dec 09 '17 at 16:03
  • @maaartinus Whoops! That's right. You can probably disable IPv6 and just use IPv4. – igal Dec 09 '17 at 16:08
2

Why don't you just make a script like this:

#!/bin/bash
...
${YOUR_IPTABLES_RULES}
...

And then just launch the script every time you reboot your machine:

# vim /etc/crontab
@reboot         root         /bin/bash /root/bin/myiptablesrules.sh

This way you would habe persistent rules, too :)

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
manifestor
  • 2,473
  • +1 For @reboot which I wasn't aware of. OTOH this may get too late and leave some vulnerability window open - I can't tell. I guess, it'd fine for my use case. – maaartinus Dec 09 '17 at 16:07
1

Have you tried using the iptables-save command?

iptables-save > /path/to/file
ip6tables-save > /path/to/file
iptables-restore < /path/to/file
ip6tables-restore < /path/to/file

You could just save to file manually and add the restore command to run at boot or login. The resulting files are easily human readable and contain the equivalent iptables commands for each entry. You could also edit the resulting files before reloading them. At least that's what I do. Not sure if this is the best method but it definitely works.

TheNH813
  • 109