8

I have an ASUS RT-N16 router that I've flashed with the open-source DD-WRT firmware. According to my ssh login, I'm running:

DD-WRT v24-sp2 mega (c) 2010 NewMedia-NET GmbH
Release: 08/07/10 (SVN revision: 14896)

I'd like to be able to customize the iptables rules, but before I do that, I'd like to see the output of the built-in rules that get configured when manipulating the browser/GUI interface settings. I am aware of the firewall script tab in the browser interface for entering custom firewall rules, but I can't find someplace to see the output.

On a full-blown Linux system, the iptables rules would be stored somewhere like /etc/sysconfig/iptables. Where would I find these on a DD-WRT filesystem? I can do

iptables -L -vn --line-numbers

and see them output, but what I'm looking for is more of what the iptables-save command might output... so that I can incorporate the appropriate rules into my custom script.

I understand that this build does not have an iptables-save command. I don't necessarily want the command itself, just output that it generates. If there was something like /etc/sysconfig/iptables, I wouldn't care about having iptables-save. I've seen that there may be different builds of DD-WRT that give something like iptables-save, but I'm not at the point where I'm ready or willing to flash the router again. Maybe as a last resort.

EDIT: The usual Linux locations for startup scripts and the like, (e.g., /etc/init.d, /etc/rc, ...) do not seem to have anything useful (at least in the build of DD-WRT that I have installed). For example, taking a look in /etc/init.d:

[/etc/init.d]# ll
-rwxr-xr-x    1 root     root           84 Aug  7  2010 rcS
-rwxr-xr-x    1 root     root           10 Aug  7  2010 S01dummy
[/etc/init.d]# cat rcS
#!/bin/sh
for i in /etc/init.d/S*; do
  $i start 2>&1
done | logger -s -p 6 -t '' &
[/etc/init.d]# cat S01dummy
#!/bin/sh
PattMauler
  • 373
  • 1
  • 3
  • 10
  • Hmmm ... I withdrew my answer. Is there an rc.local? What does a **grep -ril iptables /etc/. ** yield? – tink May 14 '13 at 20:25

3 Answers3

6

Looking in

/tmp/.ipt
/tmp/.rc_firewall

gives exactly what I was looking for: the iptables rules as they would normally be in a file like /etc/sysconfig/iptables.

I had earlier found this:

dd if=/dev/mem | strings | grep -i iptables

...and fortunately, it works on the pared-down DD-WRT filesystem. It didn't give precisely what I was looking for, but it output quite a bit of info I hadn't been able to pinpoint any other way (or at least not with a single command).

Still have to determine which things are actually in effect by comparing with the output of 

iptables -L -vn --line-numbers
iptables -L -vn -t nat --line-numbers
iptables -L -vn -t mangle --line-numbers

I also discovered that the grep command actually does work [my apologies for initially stating that it didn't-- I would've sworn it didn't work the last times I had tried. Mea maxima culpa.] Using grep, I found that the

/lib/services.so

also has a wealth of iptables configuration in it.

PattMauler
  • 373
  • 1
  • 3
  • 10
  • I know this is an old thread. I found some rules with `cat /tmp/.ipt` whil `telnet`ing into my DD-WRT router. Is this where the rules are loaded from on startup? – Allenph Nov 16 '16 at 04:48
5

There are many *WRT distribution variants, and different devices are set up in different ways, so I'm not sure whether this applies to your configuration, but it probably does.

The basic *WRT configuration has a read-only root filesystem, so it cannot save customizations in the filesystem. Instead, the startup loads various (variant-dependent) settings from NVRAM, which is organized as a simple list of key-value pairs. The firewall rules are stored in variant-dependent NVRAM entries. Look for one whose name contains firewall or whose value contains iptables, or some such.

Run ssh ROUTER_HOSTNAME nvram export --dump >nvram.txt to explore your router's NVRAM content at your leasure.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • Thanks! I tried the exact command you gave, but got no output. After a little more Googling, I think the nvram command for this variant is `nvram show`. Replacing `export --dump` with `show` gives a pretty rich output of stuff. Unfortunately, it doesn't have the built-in SPI firewall rules in there anywhere. The closest I seem to see is `rc_firewall`, which contains the custom rules that I can supply via the browser interface. This is a start, though. I suppose the stock/default iptables rules are generated by script more-or-less 'on-the-fly' at boot-up based on other values? Maybe? – PattMauler May 15 '13 at 03:25
1

I have the same problem and I tried to create a symblink from iptables to iptables-save which was advised on their wiki page DD-WRT_V24_.26_iptables-save, but it did not work for me.

To solve this I made a shell file showing the contents of /tmp/.ipt.

/jffs/bin/iptables-save:

#!/bin/sh
cat /tmp/.ipt

NOTE: The wiki page (DD-WRT_V24_.26_iptables-save) is about "Firewall Builder" - I haven't tested this solution with "Firewall Builder".

Diblo Dk
  • 111
  • 3