Not sure if something is getting lost in context or maybe through language translation or cultural translation. For those wondering, the following link is what is being referenced.
https://www.snbforums.com/threads/where-are-the-default-iptables-stored.40042/#post-969155
As the developer indicated, eight years ago, the "default rules" (which is what the original poster was asking about) are configured by the firmware code. The end user can add their own
custom code that modifies, or adds to, the "default rules" through the use of custom scripting.
@ColinTaylor likewise pointed out like the developer did that "
non-custom rules" are generated by the firmware.
Sorry, in my most respectful Canadian way, I ask does the following sound wrong or worthy of reprimand:
"The rules are built by shell scripts computing and issuing iptables commands, so there is no passive and declarative file, just the /jffs/scripts/firewall-start script doing its thing to kickoff the entire nearly incomprehensible process.
The convention to add your own rules or override the defaults is to put your iptables commands at the end of /jffs/scripts/firewall-start or possibly create /jffs/scripts/nat-start and make it executable for nat rules. When the router boots or the services restart those scripts will run."
To which Colin Taylor replied:
"Why are you replying to a post that's over eight years old? [Ok, that's highly cultural. Then why do you leave them open?]
Your answer is also incorrect. The
non-custom rules are not built by those user shell scripts but rather they are generated by the firmware code as previously stated
by the developer." Who had replied: "There are no "default rules", everything is configured by the firmware code" [errata: configured in package generation but Iptable entries are literally built at run time by the shell script]. For the past fifty years, there are no UNIX/Linux rules in the usual sense, only iptables commands generally embedded in shell scripts with further computational conditions that manipulate a dynamically created linearly scanned internal packet filtering rule set which many non-UNIX users do not understand as the OP almost certainly did not.
It is somewhat unusual to confuse code generation with the running of the code generated which is all that the user sees and that is a shell script invoked in a single line by a service restart script. There may be legitimate confusion with the upstream software generation (possibly in C or awk or yacc) that creates the executable shell script, but end users are not in that loop so why even mention it. I was doing this in 1980 including then unheard of self installing scripts for NASA fluid dynamics software as a bizarre specialty. This comment was followed by another terse comment: "They're in the firmware, but those are in the realm of the 3rd rail - touch them in the firmware, and you'll die. [Note: of course you can't, users never see the upstream stage]. There is a mechanism to extend them via scripts - there's plenty of posts/threads on how to do this..." which nobody can say why my simple explanation above was wrong as claimed by Colin Taylor.
RMerlin then shut the thread thereby blocking clarification leaving me with a reprimand that is inaccurate and no way to respond. When I asked how was I wrong, I could get no response. The technology has not changed. Custom internal Iptables rules are built by the same shell script that runs when the user does a restart, extending them is not a third rail but requires careful thought, and this is done by modifying the system supplied startup script exactly as described. It is very reasonable to assume the OP was seeking such a means as was I at that point which is generally what a user means when they ask how to modify default behavior of a system feature.
