Where is iptables script stored on DD-WRT filesystem?
Solution 1
Looking in
/tmp/.ipt
/tmp/.rc_firewall
gives exactly what I was looking for: the iptables rules as they would normally be in a file like /etc/sysconfig/iptables
.
I had earlier found this:
dd if=/dev/mem | strings | grep -i iptables
...and fortunately, it works on the pared-down DD-WRT filesystem. It didn't give precisely what I was looking for, but it output quite a bit of info I hadn't been able to pinpoint any other way (or at least not with a single command).
Still have to determine which things are actually in effect by comparing with the output of
iptables -L -vn --line-numbers
iptables -L -vn -t nat --line-numbers
iptables -L -vn -t mangle --line-numbers
I also discovered that the grep
command actually does work [my apologies for initially stating that it didn't-- I would've sworn it didn't work the last times I had tried. Mea maxima culpa.] Using grep
, I found that the
/lib/services.so
also has a wealth of iptables
configuration in it.
Solution 2
There are many *WRT distribution variants, and different devices are set up in different ways, so I'm not sure whether this applies to your configuration, but it probably does.
The basic *WRT configuration has a read-only root filesystem, so it cannot save customizations in the filesystem. Instead, the startup loads various (variant-dependent) settings from NVRAM, which is organized as a simple list of key-value pairs. The firewall rules are stored in variant-dependent NVRAM entries. Look for one whose name contains firewall
or whose value contains iptables
, or some such.
Run ssh ROUTER_HOSTNAME nvram export --dump >nvram.txt
to explore your router's NVRAM content at your leasure.
Solution 3
I have the same problem and I tried to create a symblink from iptables
to iptables-save
which was advised on their wiki page DD-WRT_V24_.26_iptables-save, but it did not work for me.
To solve this I made a shell file showing the contents of /tmp/.ipt
.
/jffs/bin/iptables-save:
#!/bin/sh
cat /tmp/.ipt
NOTE: The wiki page (DD-WRT_V24_.26_iptables-save) is about "Firewall Builder" - I haven't tested this solution with "Firewall Builder".
Related videos on Youtube
PattMauler
First learned to program in the 80's with Logo. Yeah, you remember Logo. The turtle. Formal education in medicine/biology. Now I'm a Software Developer. I lurv me some HTML, CSS, and Javascript. Also, photography.
Updated on September 18, 2022Comments
-
PattMauler over 1 year
I have an ASUS RT-N16 router that I've flashed with the open-source DD-WRT firmware. According to my
ssh
login, I'm running:DD-WRT v24-sp2 mega (c) 2010 NewMedia-NET GmbH Release: 08/07/10 (SVN revision: 14896)
I'd like to be able to customize the iptables rules, but before I do that, I'd like to see the output of the built-in rules that get configured when manipulating the browser/GUI interface settings. I am aware of the firewall script tab in the browser interface for entering custom firewall rules, but I can't find someplace to see the output.
On a full-blown Linux system, the iptables rules would be stored somewhere like
/etc/sysconfig/iptables
. Where would I find these on a DD-WRT filesystem? I can doiptables -L -vn --line-numbers
and see them output, but what I'm looking for is more of what the
iptables-save
command might output... so that I can incorporate the appropriate rules into my custom script.I understand that this build does not have an
iptables-save
command. I don't necessarily want the command itself, just output that it generates. If there was something like/etc/sysconfig/iptables
, I wouldn't care about havingiptables-save
. I've seen that there may be different builds of DD-WRT that give something likeiptables-save
, but I'm not at the point where I'm ready or willing to flash the router again. Maybe as a last resort.EDIT: The usual Linux locations for startup scripts and the like, (e.g.,
/etc/init.d
,/etc/rc
, ...) do not seem to have anything useful (at least in the build of DD-WRT that I have installed). For example, taking a look in/etc/init.d
:[/etc/init.d]# ll -rwxr-xr-x 1 root root 84 Aug 7 2010 rcS -rwxr-xr-x 1 root root 10 Aug 7 2010 S01dummy [/etc/init.d]# cat rcS #!/bin/sh for i in /etc/init.d/S*; do $i start 2>&1 done | logger -s -p 6 -t '' & [/etc/init.d]# cat S01dummy #!/bin/sh
-
tink about 11 yearsHmmm ... I withdrew my answer. Is there an rc.local? What does a **grep -ril iptables /etc/. ** yield?
-
-
PattMauler about 11 yearsThanks! I tried the exact command you gave, but got no output. After a little more Googling, I think the nvram command for this variant is
nvram show
. Replacingexport --dump
withshow
gives a pretty rich output of stuff. Unfortunately, it doesn't have the built-in SPI firewall rules in there anywhere. The closest I seem to see isrc_firewall
, which contains the custom rules that I can supply via the browser interface. This is a start, though. I suppose the stock/default iptables rules are generated by script more-or-less 'on-the-fly' at boot-up based on other values? Maybe? -
Allenph over 7 yearsI know this is an old thread. I found some rules with
cat /tmp/.ipt
whiltelnet
ing into my DD-WRT router. Is this where the rules are loaded from on startup?