Saving Iptables Firewall Rules Permanently

From Thomas-Krenn-Wiki
Jump to: navigation, search

This article explains several ways in which iptables rules can be stored permanently on Linux.

iptables-save

The actual iptables rules are created and customized on the command line with the command iptables for IPv4 and ip6tables for IPv6.

These can be saved in a file with the command iptables-save for IPv4.

Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4
RHEL/CentOS: iptables-save > /etc/sysconfig/iptables

These files can be loaded again with the command iptables-restore for IPv4.

Debian/Ubuntu: iptables-restore < /etc/iptables/rules.v4
RHEL/CentOS: iptables-restore < /etc/sysconfig/iptables

If you would also like to use IPv6 rules, these can be stored in a separate file.

Debian/Ubuntu: ip6tables-save > /etc/iptables/rules.v6
RHEL/CentOS: ip6tables-save > /etc/sysconfig/ip6tables

The automatic loading of the configured iptables rules can be done by using the following methods:

iptables-persistent for Debian/Ubuntu

Since Ubuntu 10.04 LTS (Lucid) and Debian 6.0 (Squeeze) there is a package with the name "iptables-persistent" which takes over the automatic loading of the saved iptables rules. To do this, the rules must be saved in the file /etc/iptables/rules.v4 for IPv4 and /etc/iptables/rules.v6 for IPv6.

For use, the package must simply be installed.

apt-get install iptables-persistent

If the installation fails, please check whether systemd has already had failures before the installation of iptables-persisent. Those systemd errors can cause the iptables-persistent installation to fail.[1]

Older iptables-persistent versions (e.g. like those in Debian Squeeze) still do not support IPv6 rules. There is only one file with the name /etc/iptables/rules for IPv4. Check the Init-Script for which files are loaded in your iptables-persistent version.

Please check that your rules are loaded as desired following the first reboot after configuration.

iptables Service for RedHat Enterprise Linux (RHEL) and CentOS

RHEL/CentOS also offer simple methods to permanently save iptables rules for IPv4 and IPv6.

There is a service called "iptables". This must be enabled.

# chkconfig --list | grep iptables
  iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
# chkconfig iptables on

The rules are saved in the file /etc/sysconfig/iptables for IPv4 and in the file /etc/sysconfig/ip6tables for IPv6. You may also use the init script in order to save the current rules.

# service iptables save

Additional information can also be found here RHEL 6 Documentation.

Please check that your rules are loaded as desired following the first reboot after configuration.

References

  1. #765478 - update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults (bugs.debian.org)


Foto Christoph Mitasch.jpg

Author: Christoph Mitasch

Christoph Mitasch works in the Web Operations & Knowledge Transfer team at Thomas-Krenn. He is responsible for the maintenance and further development of the webshop infrastructure. After an internship at IBM Linz, he finished his diploma studies "Computer- and Media-Security" at FH Hagenberg. He lives near Linz and beside working, he is an enthusiastic marathon runner and juggler, where he hold various world-records.


Related articles

Analyse Linux Network with netstat