# [SOLVED] iptable doesn't save the rules

## queen

I have a set of rules that I changed today. When I use 

```
iptables-save
```

 I don't get any error but it shows me some very old iptables rules. 

Some remarks before showing the whole output:

cards are eth0 is wired network

eth2 wifi card by intel driver ipw2200

wlan0 ralink 73 usb wifi card. 

Currently, I use wlan0. 

my firewall rules are in /sbin/myfirewall with the right permissions. 

Now to the code part: 

```

cat /sbin/myfirewall

#!/bin/sh

# Set location of iptables

IPTABLES=/sbin/iptables

# Define interfaces

PUBLIC_IF="wlan0"

PUBLIC_IF2="eth2"

# Flush current rules

#$IPTABLES -t nat -F

$IPTABLES -t filter -F

#$IPTABLES -t mangle -F

# Delete custom chains

#$IPTABLES -t nat -X

$IPTABLES -t filter -X

#$IPTABLES -t mangle -X

# Set default policies

$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t filter -P OUTPUT ACCEPT

#$IPTABLES -t nat -P PREROUTING ACCEPT

#$IPTABLES -t nat -P OUTPUT ACCEPT

#$IPTABLES -t nat -P POSTROUTING ACCEPT

#$IPTABLES -t mangle -P PREROUTING ACCEPT

#$IPTABLES -t mangle -P INPUT ACCEPT

#$IPTABLES -t mangle -P FORWARD ACCEPT

#$IPTABLES -t mangle -P OUTPUT ACCEPT

#$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Allow traffic from trusted interfaces

#$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A INPUT -i ! eth2 -j ACCEPT

#$IPTABLES -A INPUT -i ! eth0 -j ACCEPT

$IPTABLES -A INPUT -i ! wlan0 -j ACCEPT

# Allow traffic from established connections

#$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

#$IPTABLES -A INPUT -i $PUBLIC_IF2 -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop typical ICMP responses

#$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j DROP

#$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j DROP

#$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j DROP

#$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j DROP

#$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j DROP

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

#ban ips

#iptables -I INPUT -m iprange --src-range 212.235.28.160-212.235.28.191 -j DROP

#iptables -I INPUT -m iprange --src-range 78.53.192.0-78.54.159.255 -j DROP

# Allow inbound DNS requests from the wireless network.

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp --dport 53 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp --dport 53 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p udp --dport 53 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp --dport 53 -j ACCEPT

# Allow BitTorrent traffic -- avoid ISP blocking defaults

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp -m multiport --ports 53309:53317 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp -m multiport --ports 53309:53317 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

# Allow SSH

#$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 22 --syn -j ACCEPT

#$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 22 --syn -j ACCEPT

# Allow linuxdc

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 33123 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 33123 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 33123 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p udp -m udp --dport 33123 -j ACCEPT

# Allow Donkey capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 8726 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 8730 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 8726 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p udp -m udp --dport 8730 -j ACCEPT

# Allow Kad in emule capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 16687 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p udp -m udp --dport 16687 -j ACCEPT

# Allow Msn capability to get files

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6891 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p udp -m udp --dport 6891 -j ACCEPT

# Allow Msn

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 1863 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 1863 -j ACCEPT

# Allow ICQ

#$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5190 -j ACCEPT

#$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 5190 -j ACCEPT

## Allow GTALK

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5223 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 5223 -j ACCEPT

# Allow rsync

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 873 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 873 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 873 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p udp -m udp --dport 873 -j ACCEPT

# Allow twinkle, ekiga

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m udp --dport 5060 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m udp --dport 5060 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 1720 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 1720 -j ACCEPT

#Allow gizmo

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m udp --dport  64064 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m udp --dport  5004 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m udp --dport  5005 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m udp --dport  64064 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m udp --dport  5004 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m udp --dport  5005 -j ACCEPT

```

```
iptables-save

# Generated by iptables-save v1.4.2 on Fri May  8 23:23:14 2009

*nat

:PREROUTING ACCEPT [3853377:673318868]

:POSTROUTING ACCEPT [21021484:997694068]

:OUTPUT ACCEPT [21021871:997752844]

COMMIT

# Completed on Fri May  8 23:23:14 2009

# Generated by iptables-save v1.4.2 on Fri May  8 23:23:14 2009

*mangle

:PREROUTING ACCEPT [238682729:183822721928]

:INPUT ACCEPT [237286026:183384293827]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [180586904:33233434715]

:POSTROUTING ACCEPT [180654189:33257691548]

COMMIT

# Completed on Fri May  8 23:23:14 2009

# Generated by iptables-save v1.4.2 on Fri May  8 23:23:14 2009

*filter

:INPUT DROP [2:710]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [49014245:5420747013]

-A INPUT -i ! eth2 -j ACCEPT

-A INPUT -i ! eth0 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

-A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --ports 53309:53317 -j ACCEPT

-A INPUT -i eth2 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --ports 53309:53317 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 33123 -j ACCEPT

-A INPUT -i eth2 -p udp -m udp --dport 33123 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 33123 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 33123 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 8726 -j ACCEPT

-A INPUT -i eth2 -p udp -m udp --dport 8730 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 8726 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 8730 -j ACCEPT

-A INPUT -i eth2 -p udp -m udp --dport 16687 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 16687 -j ACCEPT

-A INPUT -i eth2 -p udp -m udp --dport 6891 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 6891 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 1863 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 1863 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 5223 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 5223 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 873 -j ACCEPT

-A INPUT -i eth2 -p udp -m udp --dport 873 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 873 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 873 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 2111 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 2111 -j ACCEPT

COMMIT

# Completed on Fri May  8 23:23:14 2009

```

As you can see it shows eth0 and eth2. In myfirewall there are only interfaces eth2 and wlan0. why iptables-save it shows eth0 and eth2 instead of eth2 and wlan0? Can't seem to figure out what's going on.

Also, the ports 5060 and 1720 don't appear at all. 

I tried to start, stop,start tried even restart but it didn't help at all.Last edited by queen on Mon May 11, 2009 11:02 am; edited 1 time in total

----------

## Hu

What runs /sbin/myfirewall?  Are you sure it has been run?  I see nothing obvious that would prevent it from clearing the iptables rules, but your output from iptables-save clearly shows that the rules set by /sbin/myfirewall are not the active ones.

What do you mean you tried start, stop, restart?

What is the output of nl /var/lib/iptables/rules-save ; rc-update show | nl?

----------

## queen

 *Hu wrote:*   

> What runs /sbin/myfirewall?  Are you sure it has been run?  I see nothing obvious that would prevent it from clearing the iptables rules, but your output from iptables-save clearly shows that the rules set by /sbin/myfirewall are not the active ones.
> 
> What do you mean you tried start, stop, restart?
> 
> What is the output of nl /var/lib/iptables/rules-save ; rc-update show | nl?

 

/sbin/myfirewall rules appear in the first output above. 

tried to start, stop restart means that I ran 

```

/etc/init.d/iptables start 

/etc/init.d/iptables stop

/etc/init.d/iptables start 
```

OR 

```
/etc/init.d/iptables restart 
```

```

 nl /var/lib/iptables/rules-save ; rc-update show | nl

     1  # Generated by iptables-save v1.4.2 on Fri May  8 22:52:48 2009

     2  *nat

     3  :PREROUTING ACCEPT [3853328:673312038]

     4  :POSTROUTING ACCEPT [21021189:997675151]

     5  :OUTPUT ACCEPT [21021576:997733927]

     6  COMMIT

     7  # Completed on Fri May  8 22:52:48 2009

     8  # Generated by iptables-save v1.4.2 on Fri May  8 22:52:48 2009

     9  *mangle

    10  :PREROUTING ACCEPT [238677780:183818449520]

    11  :INPUT ACCEPT [237281099:183380022929]

    12  :FORWARD ACCEPT [0:0]

    13  :OUTPUT ACCEPT [180582575:33232748065]

    14  :POSTROUTING ACCEPT [180649860:33257004898]

    15  COMMIT

    16  # Completed on Fri May  8 22:52:48 2009

    17  # Generated by iptables-save v1.4.2 on Fri May  8 22:52:48 2009

    18  *filter

    19  :INPUT DROP [2:710]

    20  :FORWARD DROP [0:0]

    21  :OUTPUT ACCEPT [49009916:5420060363]

    22  [22465224:19938969568] -A INPUT -i ! eth2 -j ACCEPT

    23  [41446079:24580440085] -A INPUT -i ! eth0 -j ACCEPT

    24  [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    25  [0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

    26  [0:0] -A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT

    27  [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT

    28  [0:0] -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT

    29  [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT

    30  [0:0] -A INPUT -i eth2 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --ports 53309:53317 -j ACCEPT

    31  [0:0] -A INPUT -i eth2 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

    32  [0:0] -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --ports 53309:53317 -j ACCEPT

    33  [0:0] -A INPUT -i eth0 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

    34  [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 33123 -j ACCEPT

    35  [0:0] -A INPUT -i eth2 -p udp -m udp --dport 33123 -j ACCEPT

    36  [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 33123 -j ACCEPT

    37  [0:0] -A INPUT -i eth0 -p udp -m udp --dport 33123 -j ACCEPT

    38  [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 8726 -j ACCEPT

    39  [0:0] -A INPUT -i eth2 -p udp -m udp --dport 8730 -j ACCEPT

    40  [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 8726 -j ACCEPT

    41  [0:0] -A INPUT -i eth0 -p udp -m udp --dport 8730 -j ACCEPT

    42  [0:0] -A INPUT -i eth2 -p udp -m udp --dport 16687 -j ACCEPT

    43  [0:0] -A INPUT -i eth0 -p udp -m udp --dport 16687 -j ACCEPT

    44  [0:0] -A INPUT -i eth2 -p udp -m udp --dport 6891 -j ACCEPT

    45  [0:0] -A INPUT -i eth0 -p udp -m udp --dport 6891 -j ACCEPT

    46  [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 1863 -j ACCEPT

    47  [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 1863 -j ACCEPT

    48  [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 5223 -j ACCEPT

    49  [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 5223 -j ACCEPT

    50  [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 873 -j ACCEPT

    51  [0:0] -A INPUT -i eth2 -p udp -m udp --dport 873 -j ACCEPT

    52  [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 873 -j ACCEPT

    53  [0:0] -A INPUT -i eth0 -p udp -m udp --dport 873 -j ACCEPT

    54  [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 2111 -j ACCEPT

    55  [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 2111 -j ACCEPT

    56  COMMIT

    57  # Completed on Fri May  8 22:52:48 2009

     1   * Broken runlevel entry: /etc/runlevels/boot/rarpd

     2   * Broken runlevel entry: /etc/runlevels/default/hplip

     3   * Broken runlevel entry: /etc/runlevels/default/vmware

     4             alsasound | boot

     5                 atftp |

     6              bootmisc | boot

     7               checkfs | boot

     8             checkroot | boot

     9                 clock | boot

    10           consolefont | boot

    11           crypto-loop |

    12                 cupsd |      default

    13                  dbus |      default

    14               deluged |

    15         device-mapper |

    16               dmcrypt |

    17              dmeventd |

    18               dnsextd |

    19                esound |

    20            fancontrol |

    21                  fuse |

    22                   gpm |

    23                  hald |      default

    24                hdparm |

    25              hostname | boot

    26               hotplug |      default

    27             ip6tables |

    28                 iperf |

    29              iptables |      default

    30                irexec |

    31               keymaps | boot

    32                kismet |

    33                 lircd |

    34                lircmd |

    35                  lisa |

    36            lm_sensors |

    37                 local |      default nonetwork

    38            localmount | boot

    39                 mdnsd |

    40    mDNSResponderPosix |

    41       mit-krb5kadmind |

    42           mit-krb5kdc |

    43              mldonkey |

    44               modules | boot

    45                  mrtg |

    46                 mysql |

    47          mysqlmanager |

    48           mythbackend |

    49                   nas |

    50              net.eth0 |

    51                net.lo | boot

    52              netmount |      default

    53                  nscd |

    54               numlock |

    55                   p0f |

    56               pciparm |

    57                 pcscd |

    58         pg_autovacuum |

    59            portsentry |

    60            postgresql |

    61               pwcheck |

    62             pydoc-2.4 |

    63             pydoc-2.5 |

    64               reslisa |

    65             rmnologin | boot

    66                rsyncd |

    67             saslauthd |

    68                 slapd |

    69                slurpd |

    70                 snmpd |

    71             snmptrapd |

    72                  sshd |

    73              svnserve |

    74             syslog-ng |      default

    75        udev-postmount |

    76               urandom | boot

    77               vboxdrv |      default

    78            vixie-cron |      default

    79          vmware-tools |

    80     vqmanager-service |

    81                   xdm |      default

    82                xinetd |

```

----------

## Hu

 *queen wrote:*   

> /sbin/myfirewall rules appear in the first output above.

 

I am not sure what you mean by this.  I see you provided the contents of /sbin/myfirewall in your original post, but I disagree that its effects are reflected in your active rule set.

 *queen wrote:*   

> tried to start, stop restart means that I ran 
> 
> ```
> 
> /etc/init.d/iptables start 
> ...

 

Unless you have hacked /etc/init.d/iptables, it will load the contents of /var/lib/iptables/rules-save, not run some custom firewall script.  Your dump of the saved rules is exactly consistent with the active rules.  Run /sbin/myfirewall ; /etc/init.d/iptables save to non-atomically replace your active rules by using the custom script, then save them in the standard place so that the iptables init script loads them on startup.

----------

## queen

 *Hu wrote:*   

>  *queen wrote:*   /sbin/myfirewall rules appear in the first output above. 
> 
> I am not sure what you mean by this.  I see you provided the contents of /sbin/myfirewall in your original post, but I disagree that its effects are reflected in your active rule set.
> 
>  *queen wrote:*   tried to start, stop restart means that I ran 
> ...

 

I didn't hack iptables. All I want is that /sbin/myfirewall rules will take place. But I found some mistakes. It was a mistake in the rules which prevented from saving it properly. The mistake was:

```

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 5060 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p udp -m udp --dport 5060 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 1720 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 1720 -j ACCEPT

```

instead of 

```

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 5060 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p udp -m udp --dport 5060 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 1720 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF2 -p tcp -m tcp --dport 1720 -j ACCEPT

```

I ran after correcting it /sbin/myfirewall and /etc/init.d/iptables save and /etc/init.d/iptables/restart and everything looks ok now. 

Thank you.

----------

