Find the answer to your Linux question:
Results 1 to 9 of 9
Does anyone know an easy way of importing the output of the iptables -L command back into iptables? I was trying to do some automated firewall rules via a bash ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2013
    Location
    US
    Posts
    4

    Import the output of iptables -L back into iptables


    Does anyone know an easy way of importing the output of the iptables -L command back into iptables? I was trying to do some automated firewall rules via a bash script and I accidentally blew away all my rules by issuing an iptables -f and then saving them to /etc/sysconfig/iptables

    Fortunately, I was able to go back in my session window and get the rules as I had issued an iptables -L earlier.



    Here is basically the gist of my rules:

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    acctboth   all  --  anywhere             anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    acctboth   all  --  anywhere             anywhere            
    
    Chain acctboth (2 references)
    target     prot opt source               destination         
               tcp  --  10.0.0.69            anywhere            tcp dpt:http 
               tcp  --  anywhere             10.0.0.69           tcp spt:http 
               tcp  --  10.0.0.69            anywhere            tcp dpt:smtp 
               tcp  --  anywhere             10.0.0.69           tcp spt:smtp 
               tcp  --  10.0.0.69            anywhere            tcp dpt:pop3 
               tcp  --  anywhere             10.0.0.69           tcp spt:pop3 
               icmp --  10.0.0.69            anywhere            
               icmp --  anywhere             10.0.0.69           
               tcp  --  10.0.0.69            anywhere            
               tcp  --  anywhere             10.0.0.69           
               udp  --  10.0.0.69            anywhere            
               udp  --  anywhere             10.0.0.69           
               all  --  10.0.0.69            anywhere            
               all  --  anywhere             10.0.0.69           
    #The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
    #This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
    *mangle
    :PREROUTING ACCEPT [444:43563]
    :INPUT ACCEPT [444:43563]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [402:144198]
    :POSTROUTING ACCEPT [402:144198]
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    COMMIT
    
    #The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
    *filter
    :INPUT DROP [1:242]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    :icmp_packets - [0:0]
    
    #Inbound
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 26 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
    -A INPUT -p udp -m udp --dport 465 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
    -A INPUT -p udp -m udp --dport 873 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
    -A INPUT -p udp -m udp --dport 993 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2078 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2083 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2087 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2089 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2096 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 6666 -j ACCEPT
    -A INPUT -s 127.0.0.1 -j ACCEPT
    -A INPUT -p icmp -j icmp_packets
    
    
    #Outbound
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 21 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 26 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 113 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 465 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 873 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 873 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 2078 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 2078 -j ACCEPT
    -A OUTPUT -d 127.0.0.1 -j ACCEPT
    -A OUTPUT -p icmp -j icmp_packets
    
    
    
    #Accept and respond to ICMP requests
    -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
    COMMIT
     
    # Iptables firewall reset script
    *filter
    :INPUT ACCEPT [164:15203]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [147:63028]
    COMMIT
    
    *mangle
    :PREROUTING ACCEPT [164:15203]
    :INPUT ACCEPT [164:15203]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [147:63028]
    :POSTROUTING ACCEPT [147:63028]
    COMMIT
    
    *nat
    :PREROUTING ACCEPT [14:672]
    :POSTROUTING ACCEPT [9:684]
    :OUTPUT ACCEPT [9:684]
    COMMIT
    Thanks for any help you can provide.

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    hello and welcome!

    i usually use the command iptables-save for this purpose, e.g.:

    Code:
    iptables-save > /etc/sysconfig/iptables.new

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Or is you are using REDHAT or one of its forks
    Code:
    service iptables save

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Just Joined!
    Join Date
    Apr 2013
    Location
    US
    Posts
    4
    Quote Originally Posted by atreyu View Post
    hello and welcome!

    i usually use the command iptables-save for this purpose, e.g.:

    Code:
    iptables-save > /etc/sysconfig/iptables.new
    That's normally what I would do in order to get it exported in a format proper for importing straight in again. Then, I could just do a:

    Code:
    /sbin/iptables-restore < /etc/sysconfig/iptables.new
    But in this case, I don't have the working firewall rules in iptables anymore. All I was able to recover was the output of

    Code:
    iptables -L
    from my session, unfortunately.

  5. #5
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    oh, now i understand (i think): you can't issue an "iptables-save" (or "service iptables save") b/c your current rules are messed up. but in a terminal, you still have the output of "iptables -L" that you can copy-paste, etc., in order to create a new /etc/sysconfig/iptables file - is that right?

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by LuditeITGuy View Post
    Code:
    #The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
    #This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
    *mangle
    :PREROUTING ACCEPT [444:43563]
    :INPUT ACCEPT [444:43563]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [402:144198]
    :POSTROUTING ACCEPT [402:144198]
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    COMMIT
    
    #The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
    *filter
    :INPUT DROP [1:242]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    :icmp_packets - [0:0]
    
    #Inbound
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 26 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
    -A INPUT -p udp -m udp --dport 465 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
    -A INPUT -p udp -m udp --dport 873 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
    -A INPUT -p udp -m udp --dport 993 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2078 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2083 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2087 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2089 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2096 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 6666 -j ACCEPT
    -A INPUT -s 127.0.0.1 -j ACCEPT
    -A INPUT -p icmp -j icmp_packets
    
    
    #Outbound
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 21 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 26 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 113 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 465 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 873 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 873 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 2078 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 2078 -j ACCEPT
    -A OUTPUT -d 127.0.0.1 -j ACCEPT
    -A OUTPUT -p icmp -j icmp_packets
    
    
    
    #Accept and respond to ICMP requests
    -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
    COMMIT
     
    # Iptables firewall reset script
    *filter
    :INPUT ACCEPT [164:15203]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [147:63028]
    COMMIT
    
    *mangle
    :PREROUTING ACCEPT [164:15203]
    :INPUT ACCEPT [164:15203]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [147:63028]
    :POSTROUTING ACCEPT [147:63028]
    COMMIT
    
    *nat
    :PREROUTING ACCEPT [14:672]
    :POSTROUTING ACCEPT [9:684]
    :OUTPUT ACCEPT [9:684]
    COMMIT
    Thanks for any help you can provide.
    The above you should be able to remove all line that do not start with an '-A' and then place 'iptables' in front of the '-A' and then save the file make it executable and run it to add these rules to your firewall. After that you would just hae to rebuild your chain rules.

    I would suggest making a backup copy of your firewall config in the future

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Apr 2013
    Location
    US
    Posts
    4
    Thanks for the help! I absolutely will be making numerous backups of the rules in different places before I try scripting out iptables again.

    What do you mean exactly when you say rebuild my chain rules?

    Thanks again.

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Code:
    Chain acctboth (2 references)
    target     prot opt source               destination         
               tcp  --  10.0.0.69            anywhere            tcp dpt:http 
               tcp  --  anywhere             10.0.0.69           tcp spt:http 
               tcp  --  10.0.0.69            anywhere            tcp dpt:smtp 
               tcp  --  anywhere             10.0.0.69           tcp spt:smtp 
               tcp  --  10.0.0.69            anywhere            tcp dpt:pop3 
               tcp  --  anywhere             10.0.0.69           tcp spt:pop3 
               icmp --  10.0.0.69            anywhere            
               icmp --  anywhere             10.0.0.69           
               tcp  --  10.0.0.69            anywhere            
               tcp  --  anywhere             10.0.0.69           
               udp  --  10.0.0.69            anywhere            
               udp  --  anywhere             10.0.0.69           
               all  --  10.0.0.69            anywhere            
               all  --  anywhere             10.0.0.69

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #9
    Just Joined!
    Join Date
    Apr 2013
    Location
    US
    Posts
    4
    Thanks, I'll give that a shot.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •