Saving Iptables Firewall Rules Permanently
This article explains several ways in which iptables rules can be stored permanently on Linux.
iptables-save
The actual iptables rules are created and customized on the command line with the command iptables
for IPv4 and ip6tables
for IPv6.
These can be saved in a file with the command iptables-save
for IPv4.
Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4 RHEL/CentOS: iptables-save > /etc/sysconfig/iptables
These files can be loaded again with the command iptables-restore
for IPv4.
Debian/Ubuntu: iptables-restore < /etc/iptables/rules.v4 RHEL/CentOS: iptables-restore < /etc/sysconfig/iptables
If you would also like to use IPv6 rules, these can be stored in a separate file.
Debian/Ubuntu: ip6tables-save > /etc/iptables/rules.v6 RHEL/CentOS: ip6tables-save > /etc/sysconfig/ip6tables
The automatic loading of the configured iptables rules can be done by using the following methods:
iptables-persistent for Debian/Ubuntu
Since Ubuntu 10.04 LTS (Lucid) and Debian 6.0 (Squeeze) there is a package with the name "iptables-persistent" which takes over the automatic loading of the saved iptables rules. To do this, the rules must be saved in the file /etc/iptables/rules.v4
for IPv4 and /etc/iptables/rules.v6
for IPv6.
For use, the package must simply be installed.
apt-get install iptables-persistent
If the installation fails, please check whether systemd has already had failures before the installation of iptables-persisent. Those systemd errors can cause the iptables-persistent installation to fail.[1]
Older iptables-persistent versions (e.g. like those in Debian Squeeze) still do not support IPv6 rules. There is only one file with the name /etc/iptables/rules
for IPv4. Check the Init-Script for which files are loaded in your iptables-persistent version.
Please check that your rules are loaded as desired following the first reboot after configuration.
iptables Service for RedHat Enterprise Linux (RHEL) and CentOS
RHEL/CentOS also offer simple methods to permanently save iptables rules for IPv4 and IPv6.
There is a service called "iptables". This must be enabled.
# chkconfig --list | grep iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off # chkconfig iptables on
The rules are saved in the file /etc/sysconfig/iptables for IPv4 and in the file /etc/sysconfig/ip6tables for IPv6. You may also use the init script in order to save the current rules.
# service iptables save
Additional information can also be found here RHEL 6 Documentation.
Please check that your rules are loaded as desired following the first reboot after configuration.
References
Author: Christoph Mitasch Christoph Mitasch works in the Web Operations & Knowledge Transfer team at Thomas-Krenn. He is responsible for the maintenance and further development of the webshop infrastructure. After an internship at IBM Linz, he finished his diploma studies "Computer- and Media-Security" at FH Hagenberg. He lives near Linz and beside working, he is an enthusiastic marathon runner and juggler, where he hold various world-records.
|