Where is iptables script stored on DD-WRT filesystem?

linux iptables router dd-wrt

25,109

Solution 1

Looking in

/tmp/.ipt
/tmp/.rc_firewall

gives exactly what I was looking for: the iptables rules as they would normally be in a file like /etc/sysconfig/iptables.

I had earlier found this:

dd if=/dev/mem | strings | grep -i iptables

...and fortunately, it works on the pared-down DD-WRT filesystem. It didn't give precisely what I was looking for, but it output quite a bit of info I hadn't been able to pinpoint any other way (or at least not with a single command).

Still have to determine which things are actually in effect by comparing with the output of

iptables -L -vn --line-numbers
iptables -L -vn -t nat --line-numbers
iptables -L -vn -t mangle --line-numbers

I also discovered that the grep command actually does work [my apologies for initially stating that it didn't-- I would've sworn it didn't work the last times I had tried. Mea maxima culpa.] Using grep, I found that the

/lib/services.so

also has a wealth of iptables configuration in it.

Solution 2

There are many *WRT distribution variants, and different devices are set up in different ways, so I'm not sure whether this applies to your configuration, but it probably does.

The basic *WRT configuration has a read-only root filesystem, so it cannot save customizations in the filesystem. Instead, the startup loads various (variant-dependent) settings from NVRAM, which is organized as a simple list of key-value pairs. The firewall rules are stored in variant-dependent NVRAM entries. Look for one whose name contains firewall or whose value contains iptables, or some such.

Run ssh ROUTER_HOSTNAME nvram export --dump >nvram.txt to explore your router's NVRAM content at your leasure.

Solution 3

I have the same problem and I tried to create a symblink from iptables to iptables-save which was advised on their wiki page DD-WRT_V24_.26_iptables-save, but it did not work for me.

To solve this I made a shell file showing the contents of /tmp/.ipt.

/jffs/bin/iptables-save:

#!/bin/sh
cat /tmp/.ipt

NOTE: The wiki page (DD-WRT_V24_.26_iptables-save) is about "Firewall Builder" - I haven't tested this solution with "Firewall Builder".

25,109

PattMauler

First learned to program in the 80's with Logo. Yeah, you remember Logo. The turtle. Formal education in medicine/biology. Now I'm a Software Developer. I lurv me some HTML, CSS, and Javascript. Also, photography.

Updated on September 18, 2022

Comments

PattMauler over 1 year
I have an ASUS RT-N16 router that I've flashed with the open-source DD-WRT firmware. According to my ssh login, I'm running:
```
DD-WRT v24-sp2 mega (c) 2010 NewMedia-NET GmbH
Release: 08/07/10 (SVN revision: 14896)
```
I'd like to be able to customize the iptables rules, but before I do that, I'd like to see the output of the built-in rules that get configured when manipulating the browser/GUI interface settings. I am aware of the firewall script tab in the browser interface for entering custom firewall rules, but I can't find someplace to see the output.

On a full-blown Linux system, the iptables rules would be stored somewhere like /etc/sysconfig/iptables. Where would I find these on a DD-WRT filesystem? I can do
```
iptables -L -vn --line-numbers
```
and see them output, but what I'm looking for is more of what the iptables-save command might output... so that I can incorporate the appropriate rules into my custom script.

I understand that this build does not have an iptables-save command. I don't necessarily want the command itself, just output that it generates. If there was something like /etc/sysconfig/iptables, I wouldn't care about having iptables-save. I've seen that there may be different builds of DD-WRT that give something like iptables-save, but I'm not at the point where I'm ready or willing to flash the router again. Maybe as a last resort.

EDIT: The usual Linux locations for startup scripts and the like, (e.g., /etc/init.d, /etc/rc, ...) do not seem to have anything useful (at least in the build of DD-WRT that I have installed). For example, taking a look in /etc/init.d:
```
[/etc/init.d]# ll
-rwxr-xr-x    1 root     root           84 Aug  7  2010 rcS
-rwxr-xr-x    1 root     root           10 Aug  7  2010 S01dummy
[/etc/init.d]# cat rcS
#!/bin/sh
for i in /etc/init.d/S*; do
  $i start 2>&1
done | logger -s -p 6 -t '' &
[/etc/init.d]# cat S01dummy
#!/bin/sh
```
- tink about 11 years
  
  Hmmm ... I withdrew my answer. Is there an rc.local? What does a **grep -ril iptables /etc/. ** yield?
PattMauler about 11 years

Thanks! I tried the exact command you gave, but got no output. After a little more Googling, I think the nvram command for this variant is nvram show. Replacing export --dump with show gives a pretty rich output of stuff. Unfortunately, it doesn't have the built-in SPI firewall rules in there anywhere. The closest I seem to see is rc_firewall, which contains the custom rules that I can supply via the browser interface. This is a start, though. I suppose the stock/default iptables rules are generated by script more-or-less 'on-the-fly' at boot-up based on other values? Maybe?
Allenph over 7 years

I know this is an old thread. I found some rules with cat /tmp/.ipt whil telneting into my DD-WRT router. Is this where the rules are loaded from on startup?