  1. tunasashimi

    For some reason iptables-save is not included in most firmwares. Reason? Someone commented out the source.

    I have compiled an iptables-save binary that, so far, seems to be compatible with all releases of Tomato I have tried it on. It was compiled from the V1.16 source.

    # unzip iptables-save.zip
    Enable ssh on your router.
    # scp iptables-save router:/tmp
    router# /tmp/iptables-save -c

    Todo: Figure out why, where and how various firmwares reload the firewall.

    Tomato, for example, creates an iptables-save format file when you modify it's QoS rules, in /tmp/etc/iptables, and uses iptables-restore to effect your changes. Presumably upon reconnection of any Wan link, the firewall is reset.

    Anybody know of anywhere else the firewall is reset?

    Why is this useful?

    You can do an

    # iptables-save -c >/jffs/iptables
    in your shutdown script, or as a cron script, every few minutes; then you can do an
    # iptables-restore -c </jffs/iptables
    to restore your counters in your init or wan_up scripts... Sure... there'll be some debugging pending our discovery of the firewall reset points...

    Anybody have any bullet-proof setups doing this, or better uses?
    Let us know!

  2. srouquette

    iptables... you mean the thing you can put in Admin > Scripts > Firewall ?
  3. Hypernova

    This only affects the traffic counters and not the actual rules right?

    It would be great to use it to make per-IP traffic counting presistant.
  4. tunasashimi

    I guess if you do "iptables-restore --noflush < ..." ... yes.

    I have found some rules that iptables-save writes out, that iptables-restore can't read in... probably why the code was commented out. Investigating.... (but don't rely on me to do all the research........)
  5. tunasashimi

    Anybody found a use for this yet, or can tell me why it was commented out?
