26

Is there a way to move a rule in the iptables and change it position ? I'm aware i can use -I to insert a rule in a specific position, but i also like to keep the counters.

Improve this question

5 Answers 5

Reset to default
45

You can also do following

  1. Write the output of iptables-save to a file: iptables-save > /tmp/iptables.txt
  2. Edit this file with a text editor, move whichever line you want.
  3. Reload the file: iptables-restore < /tmp/iptables.txt
Improve this answer
1
  • 3
    slaps forehead Commented Aug 9, 2022 at 4:31
11

No, you cannot move a rule. However, you can set the counter for any rule you add/insert/replace (using the -c or --set-counters parameter). So you could check the current count, delete the rule and reinsert it with the old count value.

Improve this answer
6

To see what you have and what you want to change you first need to do some examination.

  1. Check for counters and write these somewhere so you can enter them later. 
    iptables-save -c
  2. Check for the line you want to replace / reposition using 
    iptables -L -v -n --line-n
  3. Write the rule in the designated CHAIN and add the counters explained in step on. For example. 
    iptables -R INPUT 5 -i virbr0 -p udp -m udp -c 3441 472271 --dport 53 -j ACCEPT -m comment --comment "Some comment"

Meaning of -c

-c [packets:bytes]

The above iptables rule will be entered on line 5.

You can save the current iptables (and counters) by doing

iptables-save -c -f /somepath/iptrules-$(date +%F)
Improve this answer
1
  • use ip6tables instead if you're (also) dealing with ipv6 Commented Jun 30, 2022 at 5:45
1

Display iptables lines number:

iptables -L --line-numbers -n

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  192.6.3.2            anywhere            
2    ACCEPT     all  --  192.6.3.1            anywhere            
3    ACCEPT     all  --  192.6.3.0            anywhere

Let's say that you want to move the rule Nb 3 to the rule Nb 2 do this:

iptables -I INPUT 2 -s 192.6.3.0 -j ACCEPT

-I: to insert

INPUT: Name of the chain

2: Position number where you want to insert the chain

-s 192.6.3.0 -j ACCEPT: rule to insert at the position number

Delete your old rule Nb 3 which is now in position Nb 4:

iptables -D INPUT 4

As we insert a new rule, the old rule that was in the third position is now in the fourth position.

Improve this answer
3
  • I get "Bad argument `3'" with this example Commented Dec 27, 2022 at 16:07
  • My bad I get it wrong, I fix my post Commented Dec 27, 2022 at 18:14
  • I was aware of this method, but the key part was to keep the rule counter, and this is where the -c option come. So in the end I was not able to move a rule, but to reinsert it in the new position, and remove the old rule. (which mimic a rule move) Commented Dec 29, 2022 at 8:46
0

Adding to the answer from Valentin Bajrami:

if you have your current iptables rules and counters to a file using

iptables-save -c -f /somepath/iptrules-$(date +%F)

you can then modify the file with your required changes

nano /somepath/iptrules-$(date +%F)

then restore with counters by doing

iptables-restore -c /somepath/iptrules-$(date +%F)

Both commands above could be replaced with ip6tables if you're dealing with ipv6

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.