I've been testing applying a rule set to my server and re-importing it to see what happens. Here's a very simplified version of the rules that I applied:
When I apply it and re-import it (using "iptables-save import"), my rules are changed to:
There's two issues that I'm seeing at play:
- If a rule has the same Source and Destination, but different Services, they are merged into a single row. Even if there's a unique comment on each item.
- If you enable logging on the default Catch-All rule, it changes the jump target from DROP to a :FWCRULE####.LOG chain. The import function isn't able to recognize that this is a Catch-All jump chain and update the logging flag on the new rule. Instead it inserts it as an additional rule.
Here's the raw iptables export from the first screenshot with all of the settings in place:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:FWCRULE136.LOG - [0:0]
-A INPUT -m comment --comment "Stateful firewall rule." -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m comment --comment "{\"fwc_rs\":\"#A5D6A7\"}Allow the loopback address access to anything." -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m comment --comment "{\"fwc_rs\":\"#A5D6A7\"}Allow FWCloud Agent access" -m tcp --dport 33033 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m comment --comment "{\"fwc_rs\":\"#A5D6A7\"}Allow SSH access" -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -m comment --comment "Catch-all rule." -j FWCRULE136.LOG
-A FORWARD -m comment --comment "Stateful firewall rule." -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m comment --comment "Catch-all rule." -j DROP
-A OUTPUT -m comment --comment "Stateful firewall rule." -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m comment --comment "Catch-all rule." -j ACCEPT
-A FWCRULE136.LOG -m limit --limit 1/sec -j LOG --log-prefix "RULE ID 136 [DROP] " --log-level 6
-A FWCRULE136.LOG -j DROP
COMMIT
Here's the iptables export without the logging jump chain for the Catch-All rule. This will allow an import without the duplicated Catch-All, but also without logging:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m comment --comment "Stateful firewall rule." -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m comment --comment "{\"fwc_rs\":\"#A5D6A7\"}Allow the loopback address access to anything." -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m comment --comment "{\"fwc_rs\":\"#A5D6A7\"}Allow FWCloud Agent access" -m tcp --dport 33033 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m comment --comment "{\"fwc_rs\":\"#A5D6A7\"}Allow SSH access" -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -m comment --comment "Catch-all rule." -j DROP
-A FORWARD -m comment --comment "Stateful firewall rule." -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m comment --comment "Catch-all rule." -j DROP
-A OUTPUT -m comment --comment "Stateful firewall rule." -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m comment --comment "Catch-all rule." -j ACCEPT
COMMIT
Thanks,
Jeremy
