May 15, 2011, 6:09 p.m.
posted by whitehat
Recovering from a Lost Script
Sometimes the script you created to generate iptables rules may get corrupted or lost, or you might inherit a new system from an administer and cannot find the original script used to protect it. In these situations, you can use the iptables-save and iptables-restore commands to assist you with the continued management of the server.
Unlike the service iptables save command, which actually saves a permanent copy of the firewall's active configuration in the /etc/sysconfig/iptables file, iptables-save displays the active configuration to the screen in /etc/sysconfig/iptables format. If you redirect the iptables-save screen output to a file with the symbol, then you can edit the output and reload the updated rules when they meet your new criteria with the iptables-restore command.
This example exports the iptables-save output to a text file named firewall-config:
[[email protected] tmp]# iptables-save > firewall-config [[email protected] tmp]# cat firewall-config # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 - -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Nov 8 11:00:07 2004 [[email protected] tmp]#
After editing the firewall-config file with the commands you need, you can reload it into the active firewall rule set with the iptables-restore command:
[[email protected] tmp]# iptables-restore < firewall-config
[[email protected] tmp]# service iptables save