Iptables save command

Discussion in 'Tomato Firmware' started by Tippmann, Mar 31, 2012.

  1. Tippmann

    Tippmann Networkin' Nut Member

    Hi all i added some rules to my iptables but whenever i reboot my router it is all gone can anybody help me to find the save command for iptables. i had tried "nvram commit" "service iptables save"
    iptables-save -c /path" but none of them seemed to work for me. please if anyone know ho to save the config and have every time i reboot let me know

    thank you and have a nice day
  2. shibby20

    shibby20 Network Guru Member

    administration -> scripts -> firewall -> here put your iptables command
  3. Tippmann

    Tippmann Networkin' Nut Member

    i wanted to do it but ssh but i couldn't find the command for it
  4. Tippmann

    Tippmann Networkin' Nut Member

    Does anybody can tell me the command to save iptables rules buy telnet or ssh. I don't want to use the web interface much, that way i have more security thank you.
  5. ntest7

    ntest7 Network Guru Member

    If you want security (which is a good thing), use https. You're just making things harder on yourself by using the command line.

    The startup firewall commands are saved in nvram under the script_fire variable.
    You should be able to manually add iptables commands with

    nvram set script_fire='iptables ...
    iptables ...
    iptables ...'

    nvram commit
  6. Tippmann

    Tippmann Networkin' Nut Member

    thank you i think that the command i was looking for. do you know why when i type service iptables save and it says done and everything why it is gone after reboot ?
    thank you for your help
  7. koitsu

    koitsu Network Guru Member

    Because the routers do not have disks in them -- they have flash. Almost all the firmwares by default do not use/have a persistent filesystem on them; the filesystem you see as / (and everything under it) is effectively read-only, and other parts (such as /tmp) are in RAM (thus after a reboot, all changes are lost).

    To overcome this, persistent data is chosen to be stored in NVRAM. That's why you have things like the script_fire NVRAM variable, etc... Some NVRAM variables are extracted during boot-time into files (in /tmp). Change /tmp/blah and reboot and you'll lose your changes. Hence the need for the nvram set.

    There are alternate solutions such as use of JFFS (which is a persistent filesystem spread across a region of flash) and so on -- some of which OpenWRT and others prefer to use -- but there are pros/cons to using that (the big con being that your flash will wear out much sooner, despite wear-levelling). You can read up on those things if you want.
  8. Tippmann

    Tippmann Networkin' Nut Member

    thank you koitsu very nice information
  9. Spektrat

    Spektrat Reformed Router Member

    Like Tippmann, I also updated via Telnet by using the following lines (and many many many more):
    iptables -I INPUT -s -j DROP
    iptables -I INPUT -s -j DROP

    My question is (being not good with Linux commands at all):
    One answer was:
    "nvram set script_fire='iptables ...
    iptables ...
    iptables ...'

    nvram commit"

    What good does the ' do? Typo?

    Next question:

    Would this do to make the Iptables save and survive a reboot?:
    iptables -I INPUT -s -j DROP
    nvram commit

    I tested the interface (Script/Firewall) a few weeks ago and it did not work. There are no guides on how to use it for people like me. Why is it not possible to upload a text file with the list? I mean...one can upload and download the entire settings and update the firmware by that method. Safety and security shoud be made easy.

  10. rs232

    rs232 Network Guru Member

    I don't like the many many many more. If you are looking to block multiple IP address consider using ipset. A working script can be found here: http://www.linksysinfo.org/index.php?threads/p2partisan-2-40-mass-ip-blocking.69128/

    Your other question yes it's a typo and no that command you wrote is not enough. You really need to add the commands into the script_fire. As already explained better to use the GUI Administration/scripts to do so.

    If you use telent/ssh (no I mean telnet really?) use the syntax provided nvram set script_fire bla bla bla. The nvram commit will save into nvram so that it is loaded after a reboot.

    NOTE: the script_fire is loaded

  11. Spektrat

    Spektrat Reformed Router Member

    Thx HTH,

    I was hoping someone would pick up "many many" and suggest a better method.
    The method by using "IPSET" looks great, but I really don't know how to implement. Simply because I have never done this before and I know square all about Linux. I would need guidance and I really would like to implement what you just suggested.

    My plan is to reboot and list the blocked IP's again, then remove the blocked ones and implement "IPSET". This is really what I'm looking for.

    I am using Telnet like this:

    If there are better ways to communicate and update Ipset and other configs I am very open to change.

    Thanks so far ( :

  12. rs232

    rs232 Network Guru Member

    HTH = Hope This Helps
    Where my nick here is rs232

    All the information you need is provided in the P2Partisan first post, you literally just need to copy and paste.
    Might I ask you where are these IPs you're blocking coming from?

    Telnet is unencrypted and unless you know what you're doing ssh is always a better option (e.g. use putty from windows)
  13. Spektrat

    Spektrat Reformed Router Member

    Hi There Helper,

    I will look for Putty and try to work out what to C&P.

    The IP's are basicly C&P from my server (Windows Secutity Log & Windows Firewall log) I need to protect. I need to extend the outer parameter by setting that to the router and stop the idiocrazy from there.

    Why not use RS4 as nick? More potent and vigilant : )

    Will post more and hopefully progress rather than mistakes.

  14. Spektrat

    Spektrat Reformed Router Member

    Some progress, but got stuck on 3 things:
    1. can't create directory 'p2partisan': Read-only file system cd p2partisan
    Installed at the wrong place?

    2. Do I need the White List and how can I edit the lists

    3. If I save a list with my own blocks and properly save it with the correct commands. How can I use this list to update the firewall?

    I think the use of both Black List and a personal would be better.


  15. rs232

    rs232 Network Guru Member

    I'll give you the benefit of the doubt:

    1) Make sure you have a cifs1 mounted first (under administration/cifs).
    2) Forget about windows and run the commands on tomato (via ssh or telnet).
    3) post these questions under the P2Partisan thread (link provided above) and not here please.
  16. ntest7

    ntest7 Network Guru Member

    No, not a typo. The single quote at the beginning and end allow you to load multiple lines into the script_fire variable. If you leave the quotes out, you can only type a single line.

    No, the iptables state is not saved between reboots. All iptables settings should be put into the nvram script_fire variable, or stored on some external storage device CIFS/USB whatever.

    The web administration/scripts/firewall page is just an easy interface to load the script_fire nvram variable, and is basically a shell script to run at boot time after the firewall starts. You can put any valid shell commands in here, so your iptables commands would be exactly what you would type from the telnet command prompt. If you have lots of settings, store them in a script on external storage and use nvram script_fire (or the web administration/scripts/firewall page) to call your external script.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice