iptables rules: importing rules

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

SirLoinOfSteak

Occasional Visitor
Hi All,

I would like to import a collection of iptables rules from another router. These include default rules and NAT rules. Is there any way I could enter them in their entirety in the firewall-start script?

Appears based on this article, I would have to split these up.


Thx,
 

SirLoinOfSteak

Occasional Visitor
I just had to like that reply.

So yes, I do apologize I should elaborate a bit. This is an example of section of rules I have:

Code:
# --------- Access to user ABC -----------------------------
iptables -A INPUT -s 101.101.101.101 -p tcp -m multiport --dports 20002,20001 -j ACCEPT
iptables -A INPUT -s 101.101.101.101 -p tcp -j ACCEPT
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20001 -j DNAT --to 10.10.0.10:22
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 22 -j ACCEPT
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20002 -j DNAT --to 10.10.0.10:1001
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 1001 -j ACCEPT
# --------- Access to user ABC (end) -----------------------------
This allows me to keep some blocks, that are altogether meant for a specific purpose, instead of having it split up between separate startup scripts. I can simply disable an entire section of rules that is meant for a specific purpose without having to remember or figure out which NAT rules correlates with which custom rule. Based on these definitions:

firewall-start
Called after the firewall got started and filtering rules have been applied. This is where you will usually put your own custom rules in the filter table (but not the NAT table). The script receives the WAN interface name (e.g. ppp0) as an argument which can be used in the script using $1.

nat-start
Called after NAT rules (i.e. port forwards and such) have been applied to the NAT table. This is where you will want to put your own NAT table custom rules (e.g. a port forward that only allows connections coming from a specific IP).

Thinking what I need to do is:

firewall-start:
iptables -A INPUT -s 101.101.101.101 -p tcp -m multiport --dports 20002,20001 -j ACCEPT
iptables -A INPUT -s 101.101.101.101 -p tcp -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 22 -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 1001 -j ACCEPT

nat-start:
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20001 -j DNAT --to 10.10.0.10:22
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20002 -j DNAT --to 10.10.0.10:1001

Probably really dump ask but I'd prefer NOT to split the rules up. My goal is not to rewrite every rule and having to retest. I just want to dump a set of iptables rules from my old router and just paste them into the Asus Merlin one as-is.

The link you provided is definitely helpful in terms of refining some of the old [email protected] I have on the old router, but at a cost of a lot of time and retesting each rule. Hoping to avoid that.

Thx
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top