*NIX

May 15, 2011, 6:09 p.m.
posted by whitehat

Recovering from a Lost Script



Recovering from a Lost Script

Sometimes the script you created to generate iptables rules may get corrupted or lost, or you might inherit a new system from an administer and cannot find the original script used to protect it. In these situations, you can use the iptables-save and iptables-restore commands to assist you with the continued management of the server.

Unlike the service iptables save command, which actually saves a permanent copy of the firewall's active configuration in the /etc/sysconfig/iptables file, iptables-save displays the active configuration to the screen in /etc/sysconfig/iptables format. If you redirect the iptables-save screen output to a file with the symbol, then you can edit the output and reload the updated rules when they meet your new criteria with the iptables-restore command.

This example exports the iptables-save output to a text file named firewall-config:

     [root@bigboy tmp]# iptables-save > firewall-config
     [root@bigboy tmp]# cat firewall-config
     # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004
     *filter
     :INPUT ACCEPT [0:0]
     :FORWARD ACCEPT [0:0]
     :OUTPUT ACCEPT [144:12748]
     :RH-Firewall-1-INPUT - [0:0]
     -A INPUT -j RH-Firewall-1-INPUT
     -A FORWARD -j RH-Firewall-1-INPUT
     -A RH-Firewall-1-INPUT -i lo -j ACCEPT
     -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
     -A RH-Firewall-1-INPUT -p esp -j ACCEPT
     -A RH-Firewall-1-INPUT -p ah -j ACCEPT
     -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -
     -j ACCEPT
     -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
     COMMIT
     # Completed on Mon Nov 8 11:00:07 2004
     [root@bigboy tmp]#

After editing the firewall-config file with the commands you need, you can reload it into the active firewall rule set with the iptables-restore command:

     [root@bigboy tmp]# iptables-restore < firewall-config

Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots:

     [root@bigboy tmp]# service iptables save

If desired, you can eventually convert this firewall-config file into a regular iptables script so that it becomes more easily recognizable and manageable.

     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows