Import the output of iptables -L back into iptables

**LuditeITGuy** · 04-30-2013

Does anyone know an easy way of importing the output of the iptables -L command back into iptables? I was trying to do some automated firewall rules via a bash script and I accidentally blew away all my rules by issuing an iptables -f and then saving them to /etc/sysconfig/iptables

Fortunately, I was able to go back in my session window and get the rules as I had issued an iptables -L earlier.

Here is basically the gist of my rules:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
acctboth   all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
acctboth   all  --  anywhere             anywhere            

Chain acctboth (2 references)
target     prot opt source               destination         
           tcp  --  10.0.0.69            anywhere            tcp dpt:http 
           tcp  --  anywhere             10.0.0.69           tcp spt:http 
           tcp  --  10.0.0.69            anywhere            tcp dpt:smtp 
           tcp  --  anywhere             10.0.0.69           tcp spt:smtp 
           tcp  --  10.0.0.69            anywhere            tcp dpt:pop3 
           tcp  --  anywhere             10.0.0.69           tcp spt:pop3 
           icmp --  10.0.0.69            anywhere            
           icmp --  anywhere             10.0.0.69           
           tcp  --  10.0.0.69            anywhere            
           tcp  --  anywhere             10.0.0.69           
           udp  --  10.0.0.69            anywhere            
           udp  --  anywhere             10.0.0.69           
           all  --  10.0.0.69            anywhere            
           all  --  anywhere             10.0.0.69           
#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

:icmp_packets - [0:0]

#Inbound
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 26 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p udp -m udp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A INPUT -p udp -m udp --dport 873 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p udp -m udp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2078 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2083 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2087 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2089 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2096 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6666 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets


#Outbound
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 26 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 873 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2078 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 2078 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets



#Accept and respond to ICMP requests
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT
 
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT

*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT

*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT

Thanks for any help you can provide.

***atreyu*** · 05-01-2013

hello and welcome!

i usually use the command iptables-save for this purpose, e.g.:

Code:

iptables-save > /etc/sysconfig/iptables.new

**Lazydog** · 05-01-2013

Or is you are using REDHAT or one of its forks

Code:

service iptables save

**LuditeITGuy** · 05-01-2013

Originally Posted by atreyu

hello and welcome!

i usually use the command iptables-save for this purpose, e.g.:

Code:

iptables-save > /etc/sysconfig/iptables.new

That's normally what I would do in order to get it exported in a format proper for importing straight in again. Then, I could just do a:

Code:

/sbin/iptables-restore < /etc/sysconfig/iptables.new

But in this case, I don't have the working firewall rules in iptables anymore. All I was able to recover was the output of

Code:

iptables -L

from my session, unfortunately.

***atreyu*** · 05-02-2013

oh, now i understand (i think): you can't issue an "iptables-save" (or "service iptables save") b/c your current rules are messed up. but in a terminal, you still have the output of "iptables -L" that you can copy-paste, etc., in order to create a new /etc/sysconfig/iptables file - is that right?

**Lazydog** · 05-02-2013

Originally Posted by LuditeITGuy

Code:

#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

:icmp_packets - [0:0]

#Inbound
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 26 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p udp -m udp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A INPUT -p udp -m udp --dport 873 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p udp -m udp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2078 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2083 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2087 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2089 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2096 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6666 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets


#Outbound
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 26 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 873 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2078 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 2078 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets



#Accept and respond to ICMP requests
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT
 
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT

*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT

*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT

Thanks for any help you can provide.

The above you should be able to remove all line that do not start with an '-A' and then place 'iptables' in front of the '-A' and then save the file make it executable and run it to add these rules to your firewall. After that you would just hae to rebuild your chain rules.

I would suggest making a backup copy of your firewall config in the future

**LuditeITGuy** · 05-06-2013

Thanks for the help! I absolutely will be making numerous backups of the rules in different places before I try scripting out iptables again.

What do you mean exactly when you say rebuild my chain rules?

Thanks again.

**Lazydog** · 05-06-2013

Code:

Chain acctboth (2 references)
target     prot opt source               destination         
           tcp  --  10.0.0.69            anywhere            tcp dpt:http 
           tcp  --  anywhere             10.0.0.69           tcp spt:http 
           tcp  --  10.0.0.69            anywhere            tcp dpt:smtp 
           tcp  --  anywhere             10.0.0.69           tcp spt:smtp 
           tcp  --  10.0.0.69            anywhere            tcp dpt:pop3 
           tcp  --  anywhere             10.0.0.69           tcp spt:pop3 
           icmp --  10.0.0.69            anywhere            
           icmp --  anywhere             10.0.0.69           
           tcp  --  10.0.0.69            anywhere            
           tcp  --  anywhere             10.0.0.69           
           udp  --  10.0.0.69            anywhere            
           udp  --  anywhere             10.0.0.69           
           all  --  10.0.0.69            anywhere            
           all  --  anywhere             10.0.0.69

**LuditeITGuy** · 05-06-2013

Thanks, I'll give that a shot.

Thread Tools

Display

Import the output of iptables -L back into iptables

Posting Permissions