8

Ubuntu 12.04 LTS - iptables v1.4.12

TLDR:

Where are iptables's rulesets saved when invoking iptables-save <ruleset-name> ?

Explanation:

According to this answer basic way of saving iptables's rules is invoking 

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

and afterwards loading/restoring these rules in /etc/network/interfaces like:

iface eth0 inet static
        ....
        pre-up iptables-restore < /etc/iptables/rules.v4
        pre-up ip6tables-restore < /etc/iptables/rules.v6

... or putting these into a shell script in /etc/network/if-pre-up.d.

This can be simplified by installing the iptables-persistent package.

sudo apt-get install iptables-persistent
inovoke-rc.d iptables-persistent save
update-rc.d iptables-persistent defaults

Following some tutorials i tried to invoke service iptables status ( a non-existant/unknown command for the iptables version/package that comes pre-installed with 12.04 ) and found this interesting output:

Aborting iptables initd: unknown command(s): "status".                                                               
  ...                                                                                  
  save <ruleset>                                                                                                    
     save the current ruleset                                                                                       
  load <ruleset>                                                                                                    
     load a ruleset                                                                                                 
   ...                                                                                                   
Saved rulesets:                                                                                                     
  active, inactive                                                                                 
...

There seem to be two rulesets i can load (active and inactive) ...

.. but where are these stored?

I can't find their location as active/inactive are pretty bad search terms and dpkg-query -L iptables doesn't help either.

As i'm provisioning my servers with puppet/chef it would be nice to know wether there is some place i can put my rulesets and add a simple shell script to /etc/networking/if-pre-up to load these.

Then i could ommit the iptables-persistent package which ain't that flexible as it doesn't allow loading different rulesets.

Thanks for your help.

Community
  • 1
Nicolai Fröhlich
  • 415

1 Answers1

5

iptables stores the rules in memory but the ruleset created by iptables-save ruleset-name can be found in the file

/var/lib/iptables/ruleset-name

These can be restored by invoking iptables-restore <ruleset-name>.

I can only confirm this for Ubuntu 12.04.03 LTS - maybe this location has changed in later versions of the iptables-package.

I think something like /etc/iptables/rulesets.d would have been a more logical place to store these.

The save-path is configured in /etc/init.d/iptables at line 27 and afterwards used by initd_save() which invokes initd_counters().

libdir=/var/lib/iptables   

# ...

initd_counters () {                                                                                         
 if test "${enable_save_counters:-false}" = true; then                                                     
    echo -n " with counters"                                                                                
    $iptables_save -c > "$ruleset"                                                                          
  else                                                                                                      
    $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset"                           
  fi                                                                                                        
}        

initd_save () {                                                                                             
  rm -f $autosave                                                                                           
  ruleset="${libdir}/$@"                                                                                    
  echo -n "Saving iptables ruleset: save \"$@\""                                                            
  initd_counters                                                                                           
  echo "."                                                                                                  
}
Nicolai Fröhlich
  • 415
  • #cat /etc/os-release NAME="Ubuntu" VERSION="12.04.4 LTS, Precise Pangolin" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu precise (12.04.4 LTS)" VERSION_ID="12.04" # iptables-save ruleset.1 Unknown arguments found on commandline

    This does not appear to work

     – Rondo Apr 07 '14 at 21:48
  • same issue here – unc0nnected Mar 29 '17 at 17:53