iptables-save?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Wed May 14, 2008 9:05    Post subject: iptables-save? Reply with quote
Hi

Has anyone got iptables-utils iptables-save to work?

I'm getting the following errors :

/jffs/etc/iptables # iptables-save
# Generated by iptables-save v1.3.3 on Wed May 14 09:04:13 2008
*nat
:PREROUTING ACCEPT [1791:460202]
:POSTROUTING ACCEPT [9:1323]
:OUTPUT ACCEPT [103:16861]
Can't find library for match `tcp'
-A PREROUTING -d 82.36.194.23 -p tcp /jffs/etc/iptables #


/jffs/etc/iptables # iptables-save -t mangle
# Generated by iptables-save v1.3.3 on Wed May 14 09:04:46 2008
*mangle
:PREROUTING ACCEPT [23549:6119815]
:INPUT ACCEPT [47591:7537792]
:FORWARD ACCEPT [185206:130160671]
:OUTPUT ACCEPT [16122:2989671]
:POSTROUTING ACCEPT [256150:141628834]
:SVQOS_IN - [0:0]
:SVQOS_OUT - [0:0]
Can't find library for target `IMQ'
-A PREROUTING -i vlan1 -j IMQ /jffs/etc/iptables #


Any clues?

(FYI I'm trying to use fwbuilder to look at the iptables, for various reasons)
Sponsor
ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Wed May 14, 2008 21:20    Post subject: Reply with quote
Anybody? (someone must have run it?!)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Wed May 14, 2008 22:02    Post subject: Reply with quote
No...
I'm getting the same error
Code:
root@WAN:~# ipkg install iptables-utils

Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-utils_1.3.3-2_mipsel.ipk ...
Connecting to downloads.openwrt.org (195.56.146.238:80)
Done.
Unpacking iptables-utils...Done.
Configuring iptables-utils...Done.
root@WAN:~# iptables-save
# Generated by iptables-save v1.3.3 on Thu May 15 00:00:13 2008
*nat
:PREROUTING ACCEPT [10099:1475430]
:POSTROUTING ACCEPT [515:89227]
:OUTPUT ACCEPT [1230:225485]
Can't find library for match `tcp'
-A PREROUTING -d 85.191.0.241 -p tcp root@WAN:~#

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Mon Jun 02, 2008 11:23    Post subject: Got it working... Reply with quote
Got it working

After V24 was released, I tried iptables-save - no joy, there is no binary.

I download the ipkg (iptables-utils) and tried again, and got the same error.

So I googled (again) - and this time found this :

http://svn.dd-wrt.com:8000/dd-wrt/search?ticket=on&changeset=on&wiki=on&q=les&noquickjump=1&page=20

This shows a change to get iptables-save/restore working - pointing to /usr/sbin

And lo, if you look in /usr/sbin you can find iptables-restore, but not iptables-save. However, the iptables-restore is just a symblink to iptables - so did this :

cd /jffs/usr/bin
ln -s /jffs/usr/sbin/iptables ./iptables-save
./iptables-save

...and lo, output! :)

Not sure why the symblink isn't present in the final release, but it's working if you do the above :)

I've also updated the WiKi (http://www.dd-wrt.com/wiki/index.php/Firewall_Builder)
shiftwist
DD-WRT Novice


Joined: 18 Jun 2010
Posts: 4
Location: SF Bay Area

PostPosted: Fri Jun 18, 2010 5:30    Post subject: iptables-save, iptables-restore, no err msgs from iptables Reply with quote
While creating a sym link like:

ln -s /usr/sbin/iptables /tmp/iptables-save

will create a working iptables-save, but iptables-restore DOES NOT WORK, at least up to b13533:

http://dd-wrt.ca/phpBB2/viewtopic.php?p=344316&highlight=&sid=8c34dbfe7608100a1e99390309efe69b

I can also confirm iptables-restore appears to do nothing for the mega build 13525 (on a WRT54GSv1).

That's unfortunate because it means iptables added via the web GUI to {Administration / Commands, Save Firewall} must work with existing rules and deleting rules by line number is dicey due to later releases or the use of GUI actions that have iptables side-effects.

((I found this out after I wrote a startup script to save and restore a compressed, uuencoded fw rules in nvram. Ironic that the working variant is the one that has a missing link.))

Unrelated to save/restore, after some hair pulling, I found that:

iptables produces NO ERROR Messages, you must check ret code status to see if it did not like your arguments!

It must be checked with "echo $?" on the command line:

root@:~# iptables -bad -argument
root@:~# echo $?
255

The value of $? should be 0.

I hope this was/will be fixed in a build after 13525.


Last edited by shiftwist on Fri Jun 18, 2010 19:12; edited 1 time in total
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri Jun 18, 2010 6:22    Post subject: Reply with quote
good show
Thanks for this investigative work...
I suspected there was something like an iptables-save as the file /tmp/.ipt is in that format. But that could have been for other reasons....

prep_optware now incorporates this line:
Code:
 ln -s /usr/sbin/iptables-restore /opt/usr/sbin/iptables-save



I just don't understand the post about iptables-restore not working. I'm already using it in my asiablock.

There was however a problem (which is fixed now) with the .prewall / rc_firewall / .if-up rules running simultaneously. This means the iptables-restore runs into an error whilst some other program (iptables) is managing the tables.

Could it be that problem?

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
shiftwist
DD-WRT Novice


Joined: 18 Jun 2010
Posts: 4
Location: SF Bay Area

PostPosted: Fri Jun 18, 2010 21:33    Post subject: iptables-restore testing on build 14594 Reply with quote
I tried out build 14594 (mega; running on WRT54GSv1) in order to test iptables save/restore via commandline and did the following:

1. create the sym link:
Code:
  ln -s /usr/sbin/iptables /tmp/iptables-save

2. get initial state:
Code:
  /tmp/iptables-save >/tmp/fw_orig

3. made various changes:
Code:
  iptables -I OUTPUT -o vlan1 -p udp --dport 137:139 -j DROP

4. checked ret code
Code:
  echo $?

5. checked that fw changed:
Code:
  iptables -n -v -L
  /tmp/iptables-save


The change was verified.

6. test restore
Code:
  iptables-restore </tmp/fw_orig


7. checked that fw reverted back to /tmp/fw_orig

The iptables-restore worked, except for square-backeted counter values (I copied text to emacs buffers and used it to diff buffers).

A few comments:

* 'iptables-save -c' does not clear the square-backeted counters (non-zero [999,999]
* echo $? after iptables-restore was 255, but it seemed to work correctly.

_________________
a trio of WRT54GSv1
StanislavPo
DD-WRT Novice


Joined: 24 Oct 2010
Posts: 1

PostPosted: Sun Oct 24, 2010 23:31    Post subject: Reply with quote
I found that the bug (iptables-restore returns error 255) is still here (tested on DD-WRT 15452M NEWD-2 K2.6 Eko).

In my case, I have problems with "TRIGGER"-lines, wich are produced by iptables-save:
-A PREROUTING -d 111.222.33.44 -j TRIGGER --trigger-proto --trigger-match 0-0 --trigger-relate 0-0
Shoud be:
-A PREROUTING -d 111.222.33.44 -j TRIGGER

I think error 255 is because of the current version of ipt_TRIGGER, wich is unable to parse arguments (--trigger-proto --trigger-match 0-0 --trigger-relate 0-0).

I use this command to save iptables instead of iptables-save:

Code:
iptables-save | sed 's/--trigger-match 0-0//g' | sed 's/--trigger-relate 0-0//g' | sed 's/--trigger-proto\s*//g' > /tmp/fw_state


Maybe this command will help somebody.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum