How do I find out where my IPTables rules are being stored?

I working on a Debian server and I'm trying to figure out where my IPTable rules are being stored.

From looking around on the internet I've found there is generally two locations were these are usually saved.

http://major.io/2009/11/16/automatically-loading-iptables-on-debianubuntu/ suggests /etc/network/if-up.d/iptables but that file does not exist in that directory.

http://beginlinux.wordpress.com/2009/05/26/saving-changes-for-iptables/ /etc/sysconfig/iptables but the /etc/sysconfig directory doesn't even exist.

From what I know it isn't to uncommon for the previous administrator to save common files to a different location for security purposes and I was wondering if there was a way for me to find out where the rules are being saved when the iptables-save command is used. This page also states that the file is restored using the script located at /etc/init.d/iptables but this also does not exist.

Any help or suggestions as far as how to proceed to find out where the rules are being saved? I know I can try and use grep to find a rare string which would be located in the rules, but I feel there has to be a simpler and more direct method.

Update:

Thank you for all of your help. I tried using grep to search the /etc directory but it took a very long time and I didn't want to risk running out of memory, so I stopped it. I figured I'd try using strace as a less intensive method.

From looking through the strace I've come to the lines (I changed the IP addess to 1.1.1.1):

`open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=2859, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7747000
read(5, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2859
close(5)                                = 0
munmap(0xb7747000, 4096)                = 0
write(1, "-A net2fw -s 1.1.1.1/32 -p t"..., 66) = 66`

I'm not 100% sure what this is doing, but it looks like to me that this is where it uses protocol #5 from the file /etc/protocols which would be:

st 5 ST # ST datagram mode

reading the file stats of some file and then mapping what it reads to a memory location 0xb7747000. I'm unsure where it is reading from but then it closes the protocol, unmaps from memory and then writes the rule to file descriptor 1.

How close am I to reading this correctly? and how would I find out the file represented by 1?

Running an strace on iptables-save probably wouldn't be all that useful. The system is using ufw/firehol/sanewall/Shorewall/etc...

OP doesn't say anything about using shorewall.

OP didn't he had any idea at all about how the iptables rules were being enabled. The questions seems be specifically about him not knowing what is going on at all because he is taking over responsibility for a system someone else setup.