Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to backup and restore iptables rules in openSUSE?
2,689 views
Skip to first unread message
Vahis
Dec 28, 2011, 2:17:57 AM12/28/11
to
I've been looking for a way for a seemingly simple task:
http://www.faqs.org/docs/iptables/iptables-save.html
That is I'm trying to save my firewall rules to a backup file.
I have apparently screwed up my firewall on one machine and there's
another one with seemingly proper settings.
I'd like to take the rules from there.
Another option might be to flush the rules altogether and start from
scratch but I sure would like a backup first to do that.
Does anybody have experience with Shorewall instead of SuSEfirewall2?
I don't seem to get a grip of the "suse way".
man SuSEfirewall2
No manual entry for SuSEfirewall2
I'veen able to get things working so far but now It seems to me that
SuSEfirewall2 (or I) can't figure out _ip6tables_.
Vahis
--
http://waxborg.servepics.com
openSUSE 11.4 (x86_64) 2.6.37.6-0.9-default main host
openSUSE 12.1 (x86_64) 3.1.1-48-desktop Tumbleweed in VirtualBox
openSUSE 12.1 (i586) 3.1.0-1.2-desktop in EeePC 900
http://www.faqs.org/docs/iptables/iptables-save.html
That is I'm trying to save my firewall rules to a backup file.
I have apparently screwed up my firewall on one machine and there's
another one with seemingly proper settings.
I'd like to take the rules from there.
Another option might be to flush the rules altogether and start from
scratch but I sure would like a backup first to do that.
Does anybody have experience with Shorewall instead of SuSEfirewall2?
I don't seem to get a grip of the "suse way".
man SuSEfirewall2
No manual entry for SuSEfirewall2
I'veen able to get things working so far but now It seems to me that
SuSEfirewall2 (or I) can't figure out _ip6tables_.
Vahis
--
http://waxborg.servepics.com
openSUSE 11.4 (x86_64) 2.6.37.6-0.9-default main host
openSUSE 12.1 (x86_64) 3.1.1-48-desktop Tumbleweed in VirtualBox
openSUSE 12.1 (i586) 3.1.0-1.2-desktop in EeePC 900
Kevin Nathan
Dec 28, 2011, 12:05:45 PM12/28/11
to
On Wed, 28 Dec 2011 07:17:57 GMT
Vahis <wax...@gmail.com.invalid> wrote:
>I've been looking for a way for a seemingly simple task:
>http://www.faqs.org/docs/iptables/iptables-save.html
>
>That is I'm trying to save my firewall rules to a backup file.
>
What happens if you send the output of 'iptables_save' to a file? Do
Vahis <wax...@gmail.com.invalid> wrote:
>I've been looking for a way for a seemingly simple task:
>http://www.faqs.org/docs/iptables/iptables-save.html
>
>That is I'm trying to save my firewall rules to a backup file.
>
you see your rules or not?
<snip>
>Does anybody have experience with Shorewall instead of
SuSEfirewall2? I don't seem to get a grip of the "suse way".
>
on it, my guess would be that they still manipulate the iptables. Maybe
installing a test OS in VirtualBox would let you play/test to see what
happens... :-)
--
Kevin Nathan (Arizona, USA)
Linux Potpourri -- http://www.project54.com/linux/
Open standards. Open source. Open minds.
The command line is the front line.
Linux 2.6.37.6-0.9-desktop
10:02am up 17 days 21:12, 14 users, load average: 0.06, 0.05, 0.05
Vahis
Dec 28, 2011, 12:36:45 PM12/28/11
to
On 2011-12-28, Kevin Nathan <kna...@project54.com> wrote:
> On Wed, 28 Dec 2011 07:17:57 GMT
> Vahis <wax...@gmail.com.invalid> wrote:
>
>>I've been looking for a way for a seemingly simple task:
>>http://www.faqs.org/docs/iptables/iptables-save.html
>>
>>That is I'm trying to save my firewall rules to a backup file.
>>
>
> What happens if you send the output of 'iptables_save' to a file? Do
> you see your rules or not?
I tried $ iptables-save > myrules
> On Wed, 28 Dec 2011 07:17:57 GMT
> Vahis <wax...@gmail.com.invalid> wrote:
>
>>I've been looking for a way for a seemingly simple task:
>>http://www.faqs.org/docs/iptables/iptables-save.html
>>
>>That is I'm trying to save my firewall rules to a backup file.
>>
>
> What happens if you send the output of 'iptables_save' to a file? Do
> you see your rules or not?
(I thought that should have been the way)
Then
$ cat myrules
iptables-save: command not found
Then I posted my question.
Now I tried
$ iptables_save > myrules
$ cat myrules
iptables_save: command not found
>
>>Does anybody have experience with Shorewall instead of
> SuSEfirewall2? I don't seem to get a grip of the "suse way".
>>
>
> No, I don't so I probably shouldn't answer. Without doing any research
> on it, my guess would be that they still manipulate the iptables.
be heart of my problem here.
I don't have problems with IPv4 but since starting to try get to know IPv6
I've got into problems.
>Maybe
> installing a test OS in VirtualBox would let you play/test to see what
> happens... :-)
I'd like to get the problematic machine's rules copied to it first though.
Then I could see if it's the rules that suck. And also If I can fix it.
Since the real machine still works fine in IPv4 I wouldn't like to bork
it more than I already have.
Message has been deleted
Vahis
Dec 28, 2011, 12:47:17 PM12/28/11
to
On 2011-12-28, houghi <hou...@houghi.org.invalid> wrote:
> ports.
> developers.
>
I'm just wondering if there's a suse way to make a backup like there is
in the upstream.
> Vahis wrote:
>> Does anybody have experience with Shorewall instead of SuSEfirewall2?
>> I don't seem to get a grip of the "suse way".
>>
>> man SuSEfirewall2
>> No manual entry for SuSEfirewall2
>
> I never needed one. But then I never used IPv6. All I needed was to open
>> Does anybody have experience with Shorewall instead of SuSEfirewall2?
>> I don't seem to get a grip of the "suse way".
>>
>> man SuSEfirewall2
>> No manual entry for SuSEfirewall2
>
> ports.
>
>> I'veen able to get things working so far but now It seems to me that
>> SuSEfirewall2 (or I) can't figure out _ip6tables_.
>
> Mmm. Could be. Perhaps ask on the mailinglist to be sure. Probably best
>> I'veen able to get things working so far but now It seems to me that
>> SuSEfirewall2 (or I) can't figure out _ip6tables_.
>
> developers.
>
I'm just wondering if there's a suse way to make a backup like there is
in the upstream.
marrgol
Dec 28, 2011, 1:03:19 PM12/28/11
to
On 2011-12-28 18:36, Vahis wrote:
>>>I've been looking for a way for a seemingly simple task:
>>>http://www.faqs.org/docs/iptables/iptables-save.html
>>>
>>>That is I'm trying to save my firewall rules to a backup file.
>>>
>>
>> What happens if you send the output of 'iptables_save' to a file? Do
>> you see your rules or not?
>
> I tried $ iptables-save> myrules
> (I thought that should have been the way)
>
> Then
> $ cat myrules
> iptables-save: command not found
You need to be root tu run iptables-save successfully and have
>>>I've been looking for a way for a seemingly simple task:
>>>http://www.faqs.org/docs/iptables/iptables-save.html
>>>
>>>That is I'm trying to save my firewall rules to a backup file.
>>>
>>
>> What happens if you send the output of 'iptables_save' to a file? Do
>> you see your rules or not?
>
> I tried $ iptables-save> myrules
> (I thought that should have been the way)
>
> Then
> $ cat myrules
> iptables-save: command not found
/usr/sbin in the path.
--
mrg
marrgol
Dec 28, 2011, 1:03:33 PM12/28/11
to
On 2011-12-28 18:47, Vahis wrote:
> I'm just wondering if there's a suse way to make a backup like there is
> in the upstream.
No, but SuSEfirewall2 keeps its configuration in
> I'm just wondering if there's a suse way to make a backup like there is
> in the upstream.
/etc/sysconfig/SuSEfirewall2 and /etc/sysconfig/SuSEfirewall2.d/*
so you can copy these to another machine.
--
mrg
Vahis
Dec 28, 2011, 1:20:34 PM12/28/11
to
On 2011-12-28, marrgol <marsp...@gspammail.com> wrote:
> On 2011-12-28 18:36, Vahis wrote:
>>>>I've been looking for a way for a seemingly simple task:
>>>>http://www.faqs.org/docs/iptables/iptables-save.html
>>>>
>>>>That is I'm trying to save my firewall rules to a backup file.
> On 2011-12-28 18:36, Vahis wrote:
>>>>I've been looking for a way for a seemingly simple task:
>>>>http://www.faqs.org/docs/iptables/iptables-save.html
>>>>
>>>>That is I'm trying to save my firewall rules to a backup file.
>> I tried $ iptables-save> myrules
>> (I thought that should have been the way)
>>
>> Then
>> $ cat myrules
>> iptables-save: command not found
>
> You need to be root tu run iptables-save successfully and have
> /usr/sbin in the path.
Thank you so much! :)
>> (I thought that should have been the way)
>>
>> Then
>> $ cat myrules
>> iptables-save: command not found
>
> You need to be root tu run iptables-save successfully and have
> /usr/sbin in the path.
YaST has been my friend for so long that I can't figure out anything
even this simple.
Eternal noob me :)
Now we're getting somewhere...
Vahis
Dec 28, 2011, 1:21:14 PM12/28/11
to
Message has been deleted
Vahis
Dec 28, 2011, 3:08:52 PM12/28/11
to
On 2011-12-28, houghi <hou...@houghi.org.invalid> wrote:
> Vahis wrote:
> Vahis wrote:
>> YaST has been my friend for so long that I can't figure out anything
>> even this simple.
I went:
>> even this simple.
waxborg:~ # iptables -L -n
That showed the rules.
waxborg:~ # iptables-save > /tmp/myrules
waxborg:~ # cat /tmp/myrules
Looks good...
Scary:
waxborg:~ # iptables -F
Real scary:
waxborg:~ # iptables-save
waxborg:~ # iptables -L -n
All gone!
Then
waxborg:~ # iptables-restore < /tmp/myrules
All there again!
Now I need some time in the sack :)
> I must say that running it as root or with sudo does not give me
> anything.
Try those above, bye for now ;)
Vahis
Dec 29, 2011, 6:08:00 AM12/29/11
to
On 2011-12-28, Vahis <wax...@gmail.com.invalid> wrote:
> On 2011-12-28, marrgol <marsp...@gspammail.com> wrote:
>> On 2011-12-28 18:36, Vahis wrote:
>>>>>I've been looking for a way for a seemingly simple task:
>>>>>http://www.faqs.org/docs/iptables/iptables-save.html
>>>>>
>>>>>That is I'm trying to save my firewall rules to a backup file.
>>> I tried $ iptables-save> myrules
>>> (I thought that should have been the way)
>>>
>>> Then
>>> $ cat myrules
>>> iptables-save: command not found
>>
>> You need to be root tu run iptables-save successfully and have
>> /usr/sbin in the path.
>
OK. I saved the rules first from a good machine
> On 2011-12-28, marrgol <marsp...@gspammail.com> wrote:
>> On 2011-12-28 18:36, Vahis wrote:
>>>>>I've been looking for a way for a seemingly simple task:
>>>>>http://www.faqs.org/docs/iptables/iptables-save.html
>>>>>
>>>>>That is I'm trying to save my firewall rules to a backup file.
>>> I tried $ iptables-save> myrules
>>> (I thought that should have been the way)
>>>
>>> Then
>>> $ cat myrules
>>> iptables-save: command not found
>>
>> You need to be root tu run iptables-save successfully and have
>> /usr/sbin in the path.
>
#ip6tables-save > /etc/goodrules
First I was after this rule:
Chain input_ext (3 references)
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
I couldn't figure out the command syntax to put it there
so I copied it from the goodrules file to the bad machine's badrules.
Using vim, go figure.
Then I restored the edited badrules onto the bad machine. Bingo!
#ip6tables-restore < /pathto/badrules
#ip6tables save
I also made another line there, with the same rediculous way:
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
Now ssh -6 works fine.
Also http works with ipv6 address, I don't have an ipv6 name resolution for it
yet. So http there is just a proof of concept.
I still wasn't able to make traceroute -6 work from the bad machine,
So I copied the whole goodrules set to the bad machine and it started
working.
The next thing to do is to find the rule(s) which do that.
But that's when I got some more time.
I also need to learn to add remove and replace rules in
iptables/ip6tables :)
I guess I also need to file a bug against YaST not being able to
manage ip6tables?
Thanks.
Message has been deleted
Vahis
Dec 29, 2011, 1:30:29 PM12/29/11
to
On 2011-12-29, houghi <hou...@houghi.org.invalid> wrote:
> Vahis wrote:
> Vahis wrote:
>> I also need to learn to add remove and replace rules in
>> iptables/ip6tables :)
>
> There is enough information about that online. What I do when I look for
>> iptables/ip6tables :)
>
> things like this is use "example" or "examples" as an added thing to a
> search.
I did that.The problem was that the rules are in chains and I had hard
time trying to replace something in a certain chain.
> With that I found http://tinyurl.com/rd57k and
> http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
I saw a lot of howtos and examples. I bookmarkes a few, similar to yours.
I just couldn't get it.
Then I thought why can't I just edit the backup file with an
editor and then restore the edited version.
And now I read in your links:
"If you redirect the iptables-save screen output to a file with the >
symbol, then you can edit the output and reload the updated rules when
they meet your new criteria with the iptables-restore command."
That's exactly what I did, all by myself :)
And I thought it was rediculous doing so instead of just geekly editing
the rules with ip6tables commands.
Born to geek!
>
>> I guess I also need to file a bug against YaST not being able to
>> manage ip6tables?
>
> Please do.
>> I guess I also need to file a bug against YaST not being able to
>> manage ip6tables?
>
I'll look if there's already something and if not I'll raise one.
Vahis
Dec 29, 2011, 1:31:34 PM12/29/11
to
On 2011-12-29, houghi <hou...@houghi.org.invalid> wrote:
> Vahis wrote:
> Vahis wrote:
>> I also need to learn to add remove and replace rules in
>> iptables/ip6tables :)
>
>> iptables/ip6tables :)
>
> There is enough information about that online. What I do when I look for
> things like this is use "example" or "examples" as an added thing to a
> search.
I did that.The problem was that the rules are in chains and I had hard
time trying to replace something in a certain chain.
> With that I found http://tinyurl.com/rd57k and
> http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
I saw a lot of howtos and examples. I bookmarkes a few, similar to yours.
I just couldn't get it.
Then I thought why can't I just edit the backup file with an
editor and then restore the edited version.
And now I read in your links:
"If you redirect the iptables-save screen output to a file with the >
symbol, then you can edit the output and reload the updated rules when
they meet your new criteria with the iptables-restore command."
That's exactly what I did, all by myself :)
And I thought it was rediculous doing so instead of just geekly editing
the rules with ip6tables commands.
Born to geek!
>
> things like this is use "example" or "examples" as an added thing to a
> search.
I did that.The problem was that the rules are in chains and I had hard
time trying to replace something in a certain chain.
> With that I found http://tinyurl.com/rd57k and
> http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
I saw a lot of howtos and examples. I bookmarkes a few, similar to yours.
I just couldn't get it.
Then I thought why can't I just edit the backup file with an
editor and then restore the edited version.
And now I read in your links:
"If you redirect the iptables-save screen output to a file with the >
symbol, then you can edit the output and reload the updated rules when
they meet your new criteria with the iptables-restore command."
That's exactly what I did, all by myself :)
And I thought it was rediculous doing so instead of just geekly editing
the rules with ip6tables commands.
Born to geek!
>
>> I guess I also need to file a bug against YaST not being able to
>> manage ip6tables?
>
>> manage ip6tables?
>
> Please do.
I'll look if there's already something and if not I'll raise one.
I'll look if there's already something and if not I'll raise one.
Vahis
Dec 29, 2011, 1:32:21 PM12/29/11
to
On 2011-12-29, houghi <hou...@houghi.org.invalid> wrote:
> Vahis wrote:
> Vahis wrote:
>> I also need to learn to add remove and replace rules in
>> iptables/ip6tables :)
>
>> iptables/ip6tables :)
>
> There is enough information about that online. What I do when I look for
> things like this is use "example" or "examples" as an added thing to a
> search.
I did that.The problem was that the rules are in chains and I had hard
time trying to replace something in a certain chain.
> With that I found http://tinyurl.com/rd57k and
> http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
I saw a lot of howtos and examples. I bookmarked a few, similar to yours.
> things like this is use "example" or "examples" as an added thing to a
> search.
I did that.The problem was that the rules are in chains and I had hard
time trying to replace something in a certain chain.
> With that I found http://tinyurl.com/rd57k and
> http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
I just couldn't get it.
Then I thought why can't I just edit the backup file with an
editor and then restore the edited version.
And now I read in your links:
"If you redirect the iptables-save screen output to a file with the >
symbol, then you can edit the output and reload the updated rules when
they meet your new criteria with the iptables-restore command."
That's exactly what I did, all by myself :)
And I thought it was rediculous doing so instead of just geekly editing
the rules with ip6tables commands.
Born to geek!
>
>> I guess I also need to file a bug against YaST not being able to
>> manage ip6tables?
>
>> manage ip6tables?
>
> Please do.
I'll look if there's already something and if not I'll raise one.
I'll look if there's already something and if not I'll raise one.
0 new messages