Rate this page

Make the configuration of iptables persistent (Debian)

Specific to

Debian-based systems

Tested on

Debian (Squeeze*)
Ubuntu (Lucid*, Maverick*, Natty, Oneiric, Precise)
* no support for IPv6

Objective

To make the configuration of iptables persistent on a Debian-based system

Background

The iptables and ip6tables commands can be used to instruct Linux to perform functions such as firewalling and network address translation, however the configuration that they create is non-persistent so is lost whenever the machine is rebooted. For most practical applications this is not the desired behaviour, so some means is needed to reinstate the configuration at boot time.

For security, the iptables configuration should be applied at an early stage of the bootstrap process: preferably before any network interfaces are brought up, and certainly before any network services are started or routing is enabled. If this is not done then there will be a window of vulnerability during which the machine is remotely accessible but not firewalled.

Scenario

Suppose you have a machine that you wish to protect using a firewall. You have written iptables and ip6tables rulesets, and wish to install them so that they will remain active if the machine is rebooted.

Method

Overview

The method described here has three steps:

  1. Install the iptables-persistent package.
  2. Place the required rulesets in the /etc/iptables directory.
  3. Start the iptables-persistent service.

The second and third steps can be repeated whenever there is a need to change one or both of the rulesets.

Install the iptables-persistent package

On recent Debian-based systems the iptables configuration can be made persistent using the iptables-persistent package:

apt-get install iptables-persistent

This package first became available in Debian (Squeeze) and Ubuntu (Lucid).

Place the required rulesets in the /etc/iptables directory

Recent versions of iptables-persistent have two configuration files:

These pathnames are correct from version 0.5 of iptables-persistent onwards, corresponding to Debian (Wheezy) and Ubuntu (Oneiric). Prior to that, the IPv4 ruleset was located at /etc/init.d/rules (no suffix). IPv6 support was unavailable prior to version 0.0.20101230, corresponding to Debian (Wheezy) and Ubuntu (Natty).

The ruleset files should be in a format suitable for use by the iptables-restore or ip6tables-restore command as appropriate. Here is an example for configuring the IPv4 filter table:

# Generated by iptables-save v1.4.8 on Thu Jan 12 21:54:29 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27:3068]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Jan 12 21:54:29 2012

The required format of this file does not appear to be well-documented, although a partial description can be found in the Iptables Tutorial. Fortunately there are alternatives to writing it from scratch:

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Start the iptables-persistent service

The iptables-persistent must be started or restarted for it to have an effect on the live configuration. In practice it should rarely be necessary to request this explicitly:

You will need to explicitly start the service if you provide the rulesets by some other means:

service iptables-persistent start

Note that the versions of this package included with Squeeze, Lucid and Maverick respond only to start and not to restart, reload or force-reload. This has since been fixed.

See also

Tags: firewall | iptables