iptables-save – Hơ to save Iptables config

Iptables-save, as I mentioned, is intended to preserve the current rule set to a file, which can then be used by iptables-restore. This command is very easy to use and has only two arguments.

iptables-save [-c] [-t table]

The first argument to the-c (it is permissible to use a longer variant-counters) makes iptables-save znčeniâ bytes and packets counters. This makes it possible to restart the firewall without loss of performance counters that can be used to calculate the statistics. By default, when you run without-c, saving counters is not possible.

By using the-t (a longer version of the-table), you can specify the name of the table to save. If-t is not specified, all tables are stored. The following is an example of the command iptables-save in the case where the set contains no rules.

# Generated by iptables-save v 1.2.6 a on Wed Apr 24 10:19:17 2002
* filter
: INPUT ACCEPT [404: 19766]
: FORWARD ACCEPT [0: 0]
: OUTPUT ACCEPT [530: 43376]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002
# Generated by iptables-save v 1.2.6 a on Wed Apr 24 10:19:17 2002
* mangle
😛 REROUTING ACCEPT [451: 22060]
: INPUT ACCEPT [451: 22060]
: FORWARD ACCEPT [0: 0]
: OUTPUT ACCEPT [594: 47151]
😛 ACCEPT OSTROUTING [594: 47151]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002
# Generated by iptables-save v 1.2.6 a on Wed Apr 24 10:19:17 2002
* nat
😛 REROUTING ACCEPT [0: 0]
😛 OSTROUTING ACCEPT [3: 450]
: OUTPUT ACCEPT [3: 450]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002

Lines beginning with # are comments. Table names begin with the character * (an asterisk), for example: * mangle. After each table name followed by a description of the chains and rules. Descriptions of conversations are written in the format: [: ], where is the name of the chain (e.g. PREROUTING), -the-policy-default (e.g. ACCEPT). Complete description of the chain of value of the packet and byte counters, the counters that you get as a result of the command iptables-L-v. Description of each table completes the COMMIT keyword, which means that at this point in the set of rules for this table will be passed to the kernel space.

The example above shows how the contents of an empty rule set, saved by iptables-save. Below shows the result of maintaining a small set of rules (Iptables-save ruleset):

# Generated by iptables-save v 1.2.6 a on Wed Apr 24 10:19:55 2002
* filter
: INPUT DROP [1: 229]
: FORWARD DROP [0: 0]
: OUTPUT DROP [0: 0]
[0: 0]-A INPUT-m state-state ESTABLISHED, RELATED-j ACCEPT
[0: 0]-A FORWARD-i eth0-m state-state ESTABLISHED, RELATED-j ACCEPT
[0: 0]-A FORWARD-i eth1-m state-state NEW, RELATED, ESTABLISHED-j ACCEPT
[0: 0]-A OUTPUT-m state-state NEW, RELATED, ESTABLISHED-j ACCEPT
COMMIT
# Completed on Wed Apr 24 10:19:55 2002
# Generated by iptables-save v 1.2.6 a on Wed Apr 24 10:19:55 2002
* mangle
😛 REROUTING ACCEPT [658: 32445]
: INPUT ACCEPT [658: 32445]
: FORWARD ACCEPT [0: 0]
: OUTPUT ACCEPT [891: 68234]
😛 ACCEPT OSTROUTING [891: 68234]
COMMIT
# Completed on Wed Apr 24 10:19:55 2002
# Generated by iptables-save v 1.2.6 a on Wed Apr 24 10:19:55 2002
* nat
😛 REROUTING ACCEPT [1: 229]
😛 OSTROUTING ACCEPT [3: 450]
: OUTPUT ACCEPT [3: 450]
[0: 0]-A POSTROUTING-o eth0-j SNAT-source-to-195.233.192.1
COMMIT
# Completed on Wed Apr 24 10:19:55 2002

The example shows the result of the actions of the argument-c before each rule and in the description of each chain there are numbers that show the contents of the packet and byte counters. Immediately I note that rule set iptables-save throw to stdout, so when you save the file in the set command should look something like this:

iptables-save-c >/etc/iptables-save

This command will write the entire set of rules, together with the contents of the counters to a file named/etc/iptables-save.