What's new

iptables rules: importing rules

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

SirLoinOfSteak

Occasional Visitor
Hi All,

I would like to import a collection of iptables rules from another router. These include default rules and NAT rules. Is there any way I could enter them in their entirety in the firewall-start script?

Appears based on this article, I would have to split these up.


Thx,
 
It seems I'm having IPTables issues as well, suddenly. I'm going to check the wiki for some help...
nat-start is the place to start apparently
 
I just had to like that reply.

So yes, I do apologize I should elaborate a bit. This is an example of section of rules I have:

Code:
# --------- Access to user ABC -----------------------------
iptables -A INPUT -s 101.101.101.101 -p tcp -m multiport --dports 20002,20001 -j ACCEPT
iptables -A INPUT -s 101.101.101.101 -p tcp -j ACCEPT
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20001 -j DNAT --to 10.10.0.10:22
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 22 -j ACCEPT
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20002 -j DNAT --to 10.10.0.10:1001
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 1001 -j ACCEPT
# --------- Access to user ABC (end) -----------------------------

This allows me to keep some blocks, that are altogether meant for a specific purpose, instead of having it split up between separate startup scripts. I can simply disable an entire section of rules that is meant for a specific purpose without having to remember or figure out which NAT rules correlates with which custom rule. Based on these definitions:

firewall-start
Called after the firewall got started and filtering rules have been applied. This is where you will usually put your own custom rules in the filter table (but not the NAT table). The script receives the WAN interface name (e.g. ppp0) as an argument which can be used in the script using $1.

nat-start
Called after NAT rules (i.e. port forwards and such) have been applied to the NAT table. This is where you will want to put your own NAT table custom rules (e.g. a port forward that only allows connections coming from a specific IP).

Thinking what I need to do is:

firewall-start:
iptables -A INPUT -s 101.101.101.101 -p tcp -m multiport --dports 20002,20001 -j ACCEPT
iptables -A INPUT -s 101.101.101.101 -p tcp -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 22 -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 1001 -j ACCEPT

nat-start:
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20001 -j DNAT --to 10.10.0.10:22
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20002 -j DNAT --to 10.10.0.10:1001

Probably really dump ask but I'd prefer NOT to split the rules up. My goal is not to rewrite every rule and having to retest. I just want to dump a set of iptables rules from my old router and just paste them into the Asus Merlin one as-is.

The link you provided is definitely helpful in terms of refining some of the old cr@p I have on the old router, but at a cost of a lot of time and retesting each rule. Hoping to avoid that.

Thx
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top