Linux – How to find out where the IPTables rules are being stored


I working on a Debian server and I'm trying to figure out where my IPTable rules are being stored.

From looking around on the internet I've found there is generally two locations were these are usually saved. suggests /etc/network/if-up.d/iptables but that file does not exist in that directory. /etc/sysconfig/iptables but the /etc/sysconfig directory doesn't even exist.

From what I know it isn't to uncommon for the previous administrator to save common files to a different location for security purposes and I was wondering if there was a way for me to find out where the rules are being saved when the iptables-save command is used. This page also states that the file is restored using the script located at /etc/init.d/iptables but this also does not exist.

Any help or suggestions as far as how to proceed to find out where the rules are being saved? I know I can try and use grep to find a rare string which would be located in the rules, but I feel there has to be a simpler and more direct method.


Thank you for all of your help. I tried using grep to search the /etc directory but it took a very long time and I didn't want to risk running out of memory, so I stopped it. I figured I'd try using strace as a less intensive method.

From looking through the strace I've come to the lines (I changed the IP addess to

`open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=2859, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7747000
read(5, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2859
close(5)                                = 0
munmap(0xb7747000, 4096)                = 0
write(1, "-A net2fw -s -p t"..., 66) = 66`

I'm not 100% sure what this is doing, but it looks like to me that this is where it uses protocol #5 from the file /etc/protocols which would be:

st 5 ST # ST datagram mode

reading the file stats of some file and then mapping what it reads to a memory location 0xb7747000. I'm unsure where it is reading from but then it closes the protocol, unmaps from memory and then writes the rule to file descriptor 1.

How close am I to reading this correctly? and how would I find out the file represented by 1?

Best Answer

iptables-persistent wheezy package saves the rules in /etc/iptables/rules.v4.

You could view the source of the package here: