Saving Iptables Firewall Rules Permanently

From Thomas-Krenn-Wiki
Jump to: navigation, search

This article explains several ways in which iptables rules can be stored permanently on Linux.


The actual iptables rules are created and customized on the command line with the command iptables for IPv4 and ip6tables for IPv6.

These can be saved in a file with the command iptables-save for IPv4.

Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4
RHEL/CentOS: iptables-save > /etc/sysconfig/iptables

These files can be loaded again with the command iptables-restore for IPv4.

Debian/Ubuntu: iptables-restore < /etc/iptables/rules.v4
RHEL/CentOS: iptables-restore < /etc/sysconfig/iptables

If you would also like to use IPv6 rules, these can be stored in a separate file.

Debian/Ubuntu: ip6tables-save > /etc/iptables/rules.v6
RHEL/CentOS: ip6tables-save > /etc/sysconfig/ip6tables

The automatic loading of the configured iptables rules can be done by using the following methods:

iptables-persistent for Debian/Ubuntu

Since Ubuntu 10.04 LTS (Lucid) and Debian 6.0 (Squeeze) there is a package with the name "iptables-persistent" which takes over the automatic loading of the saved iptables rules. To do this, the rules must be saved in the file /etc/iptables/rules.v4 for IPv4 and /etc/iptables/rules.v6 for IPv6.

For use, the package must simply be installed.

apt-get install iptables-persistent

If the installation fails, please check whether systemd has already had failures before the installation of iptables-persisent. Those systemd errors can cause the iptables-persistent installation to fail.[1]

Older iptables-persistent versions (e.g. like those in Debian Squeeze) still do not support IPv6 rules. There is only one file with the name /etc/iptables/rules for IPv4. Check the Init-Script for which files are loaded in your iptables-persistent version.

Please check that your rules are loaded as desired following the first reboot after configuration.

iptables Service for RedHat Enterprise Linux (RHEL) and CentOS

RHEL/CentOS also offer simple methods to permanently save iptables rules for IPv4 and IPv6.

There is a service called "iptables". This must be enabled.

# chkconfig --list | grep iptables
  iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
# chkconfig iptables on

The rules are saved in the file /etc/sysconfig/iptables for IPv4 and in the file /etc/sysconfig/ip6tables for IPv6. You may also use the init script in order to save the current rules.

# service iptables save

Additional information can also be found here RHEL 6 Documentation.

Please check that your rules are loaded as desired following the first reboot after configuration.


  1. #765478 - update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults (

Foto Christoph Mitasch.jpg

Author: Christoph Mitasch

Christoph Mitasch works in the Web Operations & Knowledge Transfer team at Thomas-Krenn. He is responsible for the maintenance and further development of the webshop infrastructure. After an internship at IBM Linz, he finished his diploma studies "Computer- and Media-Security" at FH Hagenberg. He lives near Linz and beside working, he is an enthusiastic marathon runner and juggler, where he hold various world-records.