Where are my iptables?

I ran the code:

iptables-save -t nat -A PREROUTING -d 79.3.191.226 -j DNAT --to-destination 192.168.0.14

But I don't know if it worked since I cannot find the iptables file inside my directory.

Where is the iptables script located?

2

2 Answers

That is not how you use iptables-save

Without any optins it dumps the rules to your terminal, you have to re-direct.

iptables-save > /etc/iptables.rules

On Ubuntu you should probably be using ufw

see

If you want to set up a router/firewall and need to ask questions, you really shouldn't use iptables and instead use ufw (that support both IPv6 and IPv4) for a single server machine connected to internet through another routers DMZ mechanism or directly to internet and doesn't route any trafic. Or shorewall (supports only IPv4, use shorewall6 for the IPv6) for a routing machine. Setting up a firewall from scratch is complicated and prone to error. Just set up one of the firewall tools shorewall or the simpler and less functional ufw and look at how they set up iptables and you'll see why.

Both are not that hard to set up correctly and secure. Using iptable is much harder and demands knowleged about a lot of RFC:s, like RFC1918 for IPv4 and a lot more.

The firewall frontend shorewall is designed to be used in a firewall macine and your LAN and are quite easy to set up for that, at least compared to iptable. You only need to copy some files from /usr/share/doc/shorewall/examples/ to /etc/shorewall/, modify them and then run shorewall --check (if I remember right) to check the syntax and some semantics before start it.

The same with ufw, though it isn't designed for forwarding and NAT, just to protect servers and clients. But for that, it's easy and very usefull. You can set it up on a forwarding router, but then you need to manually add some iptable NAT rules so your machines in your local LAN can reach Internet through the router. You also might want to add a DMZ for your public servers, and remember to always protect those servers with ufw, which ufw is designed for. Best to use a separate LAN on another ethernet interface on your router.

Do try to avoid running extra servers on your routing machine, as it will possible open some more "attack vectors" against your router for hackers to use. And use nmap from different machines to check your routers firewall, to see what is open from outside and from inside.

Both nmap and wireshark is essential tools for a router/firewall administrator. Always check your settings. An open router/firewall will be exploid very fast.

Don't forget to look in the man pages for each command and package documentations in /usr/share/doc/package name/.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like