Make the configuration of iptables persistent (Debian)
|Ubuntu (Lucid*, Maverick*, Natty, Oneiric, Precise)|
|* no support for IPv6|
To make the configuration of iptables persistent on a Debian-based system
ip6tables commands can be used to instruct Linux to perform functions such as firewalling and network address translation, however the configuration that they create is non-persistent so is lost whenever the machine is rebooted. For most practical applications this is not the desired behaviour, so some means is needed to reinstate the configuration at boot time.
For security, the
iptables configuration should be applied at an early stage of the bootstrap process: preferably before any network interfaces are brought up, and certainly before any network services are started or routing is enabled. If this is not done then there will be a window of vulnerability during which the machine is remotely accessible but not firewalled.
Suppose you have a machine that you wish to protect using a firewall. You have written
ip6tables rulesets, and wish to install them so that they will remain active if the machine is rebooted.
The method described here has three steps:
- Install the
- Place the required rulesets in the
- Start the
The second and third steps can be repeated whenever there is a need to change one or both of the rulesets.
On recent Debian-based systems the
iptables configuration can be made persistent using the
apt-get install iptables-persistent
This package first became available in Debian (Squeeze) and Ubuntu (Lucid).
Recent versions of
iptables-persistent have two configuration files:
/etc/iptables/rules.v4for the IPv4 ruleset, and
/etc/iptables/rules.v6for the IPv6 ruleset.
These pathnames are correct from version 0.5 of
iptables-persistent onwards, corresponding to Debian (Wheezy) and Ubuntu (Oneiric). Prior to that, the IPv4 ruleset was located at
/etc/init.d/rules (no suffix). IPv6 support was unavailable prior to version 0.0.20101230, corresponding to Debian (Wheezy) and Ubuntu (Natty).
The ruleset files should be in a format suitable for use by the
ip6tables-restore command as appropriate. Here is an example for configuring the IPv4 filter table:
# Generated by iptables-save v1.4.8 on Thu Jan 12 21:54:29 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [27:3068] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Thu Jan 12 21:54:29 2012
The required format of this file does not appear to be well-documented, although a partial description can be found in the Iptables Tutorial. Fortunately there are alternatives to writing it from scratch:
- Recent versions of
iptables-persistentoffer to create the files from the current live configuration when the package is installed. You can arrange for this offer to be repeated using the
- You can achieve the same effect more directly using the
ip6tables-savecommands, for example:
iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6
iptables-persistent must be started or restarted for it to have an effect on the live configuration. In practice it should rarely be necessary to request this explicitly:
- If the rulesets were constructed from the current live configuration then there is no immediate need for
iptables-persistentto do anything, because the stored and live configurations are already in agreement.
iptables-persistentservice automatically starts when the system is rebooted.
You will need to explicitly start the service if you provide the rulesets by some other means:
service iptables-persistent start
Note that the versions of this package included with Squeeze, Lucid and Maverick respond only to
start and not to
force-reload. This has since been fixed.