Posted: Fri Dec 07, 2018 14:23 Post subject: Backup Configuration Include Firewall Rules?
I've a huge amount of configuration on my router and have recently been working with iptables to secure my security cameras, etc. During this process, I'm seeing all kinds of iptables rules I don't think should be there. I'd like to flash back to default, see what the default iptables rules are, slowly add back in settings, and keep an eye on how iptables rules change over time so I can better understand what should and should not be present.
All that said, if I use Administration > Backup Configuration and hard reset, will a restore of this file bring back everything or are there things it doesn't backup?
Joined: 16 Nov 2015 Posts: 2820 Location: UK, London, just across the river..
Posted: Fri Dec 07, 2018 16:52 Post subject:
there are some default iptables rules even after restart, there is also a moment that those rules are created when you have a WAN access if you flash the router without a WAN they are not created until then...
in relation to isolate ip web cam to local use only there is a rule for it so they will not spam outside of your network...
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s ip of camera -j DROP _________________ Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 -----DD-WRT 41074 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 -----DD-WRT 41075 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 -----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Netgear R7800 ---------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt v2 x2)
Netgear R7000 ---------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
Thanks for sharing the firewall rule, I'll have to try it later.
Since I have so many rules, I'm afraid about the sequence of them ... is there a way I can validate I have it right by looking in the logs or would I need to post the rules here and have a guru confirm?
I’ve backed up NVRAM variables before and tried to restore them, same build, with no success ... I’m guessing since firewall rules aren’t stored in the variables but rather the /tmp/.ipt file.
I’ve also taken backups using the GUI but never tried to restore so only assume the firewall rules are backed up....
Anything in /tmp is cleared and recreated whenever the router reboots. /tmp is a RAM Disk. The contents of any files there that persist between reboots are stored in nvram to be written out to files as the router boots, so those values should be somewhere in your nvram. In theory a backup from the GUI should have the values. The other option is to pipe all your nvram values out to a file nvram show > /tmp/nvram.txt and then transfer it off the router. You could then set individual values back with the nvram set command, or create a script to parse the nvram.txt file and insert all the values. Note that the actual byte for byte file contents may not actually exist in nvram, but values used to rebuild the files though scripts/processes that DDWRT uses to build the files will exist.
The information from Administration->Commands is stored in nvram and is backed up.... I am looking at some from a build right now. If you are doing that it should work, if you are manually adding them via command line then no.
You can always try to do a back up and then search the file, or from command line do a