Backup Configuration Include Firewall Rules?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Bugsysiegals
DD-WRT Novice


Joined: 15 Apr 2018
Posts: 40

PostPosted: Fri Dec 07, 2018 14:23    Post subject: Backup Configuration Include Firewall Rules? Reply with quote
I've a huge amount of configuration on my router and have recently been working with iptables to secure my security cameras, etc. During this process, I'm seeing all kinds of iptables rules I don't think should be there. I'd like to flash back to default, see what the default iptables rules are, slowly add back in settings, and keep an eye on how iptables rules change over time so I can better understand what should and should not be present.

All that said, if I use Administration > Backup Configuration and hard reset, will a restore of this file bring back everything or are there things it doesn't backup?
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2677
Location: UK, London, just across the river..

PostPosted: Fri Dec 07, 2018 16:52    Post subject: Reply with quote
there are some default iptables rules even after restart, there is also a moment that those rules are created when you have a WAN access if you flash the router without a WAN they are not created until then...
in relation to isolate ip web cam to local use only there is a rule for it so they will not spam outside of your network...
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s ip of camera -j DROP

_________________
Atheros
TP-Link WR1043NDv2 ------DD-WRT 40009 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,Stubby DoT)
TP-Link WR1043NDv2 ------DD-WRT 40048 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2.......... Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 39855M 4.9 Kong (AP,NAT,AD-Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt x2)
Broadcom
Netgear R7000 ---------DD-WRT 39960M Kong (AP,NAT,AD-Blocking,Firewall,Local DNS,Forced DNS)
Others
Netgear ProSAFE-GS105Ev2 ----(LAN Switch)

----------------------------------------------------------------------------------------------------
Stubby for DNS over TLS
Bugsysiegals
DD-WRT Novice


Joined: 15 Apr 2018
Posts: 40

PostPosted: Fri Dec 07, 2018 18:58    Post subject: Reply with quote
Thanks for sharing the firewall rule, I'll have to try it later.

Since I have so many rules, I'm afraid about the sequence of them ... is there a way I can validate I have it right by looking in the logs or would I need to post the rules here and have a guru confirm?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2677
Location: UK, London, just across the river..

PostPosted: Sat Dec 08, 2018 8:50    Post subject: Reply with quote
well... yes there is a specific order how do they get executed and work so if they are not organised well they might not be executed

to check iptables rules, type iptables -vnL and the chain you want to see or just the bear command will show you all the rules at once

you can also choose witch rules comes after another with adding a number to it like this for example

iptables -I INPUT 1 -i vlan2 -m state --state NEW -j REJECT

in my case i don't use numbers but i know i should
for more info
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command

just don't use different save files on different builds...

_________________
Atheros
TP-Link WR1043NDv2 ------DD-WRT 40009 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,Stubby DoT)
TP-Link WR1043NDv2 ------DD-WRT 40048 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2.......... Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 39855M 4.9 Kong (AP,NAT,AD-Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt x2)
Broadcom
Netgear R7000 ---------DD-WRT 39960M Kong (AP,NAT,AD-Blocking,Firewall,Local DNS,Forced DNS)
Others
Netgear ProSAFE-GS105Ev2 ----(LAN Switch)

----------------------------------------------------------------------------------------------------
Stubby for DNS over TLS


Last edited by Alozaros on Sat Dec 08, 2018 18:25; edited 2 times in total
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4503
Location: Texas

PostPosted: Sat Dec 08, 2018 12:31    Post subject: Re: Backup Configuration Include Firewall Rules? Reply with quote
Bugsysiegals wrote:
...if I use Administration > Backup Configuration and hard reset, will a restore of this file bring back everything or are there things it doesn't backup?

A nvram backup thru the GUI should save/restore everything just as router was .....
..... BUT -- it will NOT restore a WAN MAC address if you use WAN MAC clone.
Bugsysiegals
DD-WRT Novice


Joined: 15 Apr 2018
Posts: 40

PostPosted: Sat Dec 08, 2018 19:36    Post subject: Reply with quote
I’ve backed up NVRAM variables before and tried to restore them, same build, with no success ... I’m guessing since firewall rules aren’t stored in the variables but rather the /tmp/.ipt file.

I’ve also taken backups using the GUI but never tried to restore so only assume the firewall rules are backed up....
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 696

PostPosted: Sun Dec 09, 2018 0:04    Post subject: Reply with quote
Bugsysiegals wrote:
I’ve backed up NVRAM variables before and tried to restore them, same build, with no success ... I’m guessing since firewall rules aren’t stored in the variables but rather the /tmp/.ipt file.

I’ve also taken backups using the GUI but never tried to restore so only assume the firewall rules are backed up....


Anything in /tmp is cleared and recreated whenever the router reboots. /tmp is a RAM Disk. The contents of any files there that persist between reboots are stored in nvram to be written out to files as the router boots, so those values should be somewhere in your nvram. In theory a backup from the GUI should have the values. The other option is to pipe all your nvram values out to a file nvram show > /tmp/nvram.txt and then transfer it off the router. You could then set individual values back with the nvram set command, or create a script to parse the nvram.txt file and insert all the values. Note that the actual byte for byte file contents may not actually exist in nvram, but values used to rebuild the files though scripts/processes that DDWRT uses to build the files will exist.
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 426

PostPosted: Sun Dec 09, 2018 18:31    Post subject: Reply with quote
The information from Administration->Commands is stored in nvram and is backed up.... I am looking at some from a build right now. If you are doing that it should work, if you are manually adding them via command line then no.

You can always try to do a back up and then search the file, or from command line do a
Code:

nvram get rc_firewall


and see if your rules are there
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum