Working copy of the Netfilter rules stored in the kernel space of linux. The kernel, by default, allow all connections that we see when running the command iptables with the-L option With changes in regulations made by us during the operating system usually automatically will not persist when the computer is turned off. So after the next turn on, you find that the configured rules again and all with a default policy – ACCEPT.
Note: In practice, this means that your computer is by default open to any access from the outside to any machine, it only need a working program that will meet at the port to which you want to connect any remote computer. In this article we will consider how to save iptables rules.
Of course, to re-configure every time after restarting the computer the firewall ruleset is not profitable, so we need a means of saving and restoring firewall settings after turning on our machines. The most common solutions to this problem are two:
- Utility iptables-save and load them using iptables-restore;
- Utility iptables-persistent (this option is available in the operating systems Debian and Ubuntu).
Keep the rules in any available directory, but it is better to use for this system directory, for example, the directory for configuration files /etc/ or sub-folder in for example /etc/iptables-conf/
How to save iptables rules
To save firewall rules Netfilter in linux you can use the package iptables-save. This package writes the current configuration to a file with the specified name. There are two versions of this package:
- iptables-save for IPv4;
- ip6tables-save for the IPv6 Protocol.
The command syntax is the same, so we consider ipv4.
iptables-save [-m modprobe] [-c] [-t table] [-f filename]
Possible options are:
- -m modprobe: Specifies the path to the modprobe program. By default, iptables-save checks /proc/sys/kernel/modprobe to determine the path to the executable file. modprobe is a utility for managing kernel modules. There are several variants of this utility. This parameter can be ignored;
- -c: enables the output of all program counters of the number of transferred bytes and packets.
- -t table: displays in the output stream only one table, which was explicitly specified. In the absence of the flag displays all the tables in the firewall settings;
- -f file name: Specifies the name of the file recording settings. If the file is not specified, then the output is to a stream the screen output to STDOUT.
In the simplest version of the command will look like the following:
sudo iptables-save-f /etc/iptables-conf/iptables_rules.ipv4
You can use your folder, file name and extension. It is possible to use another syntax for this command:
sudo iptables-save > /etc/iptables-conf/iptables_rules2.ipv4
In this embodiment, the command iptables-save prints the feature rules in the output stream to the screen STDOUT, which we redirected to the file. You must create the directory /etc/iptables-conf/:
sudo mkdir /etc/iptables-conf/
To view the contents of the directory by using the command:
How to load iptables rules
For manual reset, you can use the utility iptables-restore. It restores the firewall configuration Netfilter with the specified file or input stream STDIN, if no file is specified explicitly. Consider the syntax for iptables-restore:
iptables-restore [-chntvV] [-w seconds] [-W milliseconds] [-M modprobe] [-T table] [file name]
- c: resets all counters of packets and bytes;
- -n: allows to dump the content of the rules of the updated table of iptables rules. If not specified, – all the current rules of the updated table are reset. It turns out that the rules in the file are appended at the end of tables a working configuration if this parameter is specified;
- -t: only build and test a rule set from a file, without updating working tables rules iptables;
- -v: displays additional debugging information during the recovery of a set of rules;
- -V: displays the version number of the software;
- -w seconds: wait for the exclusive locks of a packet filter of the linux kernel xtables. Used to prevent multiple concurrent instances of the utility. Option causes the program to wait for some time possible exclusive lock xtables;
- -W milliseconds: the interval to wait for each attempt of running the package in exclusive mode. Often, many application systems critical to startup time and runtime, so a long wait for an exclusive lock xtables is often unacceptable. This parameter in milliseconds specifies the maximum time such expectations. The default is 1 second. Applies only in conjunction with-w;
- -M modprobe: Specifies the path to the modprobe program. By default, iptables-restore checks /proc/sys/kernel/modprobe to determine the path to the executable file. modprobe is a utility for managing kernel modules. There are several variants of this utility. This parameter can be ignored;
- -T table: Restores only the rules table with the specified name, even if the data stream contains other tables;
- file name: path to file to recover tables, rules in the file system
Here is an example command iptables-restore:
sudo iptables-restore-vV /etc/iptables-conf/iptables_rules.ipv4
Or restore the rules from a file without resetting the contents of the current tables Netfilter:
sudo iptables-restore-nvV /etc/iptables-conf/iptables_rules.ipv4
The startup of iptables rules
1. Download of rules via script
Rules saved with the utility iptables-save, you can restore using a script that runs each time you start the operating system. To do this, perform the following steps:
Keep a set of firewall rules with the command:
sudo iptables-save-f /etc/iptables-conf/iptables_rules.ipv4
To run the set of rules at the start of the operating system before enabling the network interface we create a new file with the command:
sudo vi /etc/network/if-pre-up.d/iptables
Note – in the network there are many variants of the location of the script on the local machine, but I believe it is the location in the folder if-pre-up.d the most loyal, as this script will be run before enabling the network interface. Add to this file the following script:
/sbin/iptables-restore < /etc/iptables_rules.ipv4
Save the file iptables Ctrl+O. Exit the editor with Ctrl+X. Set the necessary privileges for the created file:
sudo chmod +x /etc/network/if-pre-up.d/iptables
Reboot the computer and check the result for the filter table with the command:
sudo-t filter iptables-L
For safety it is necessary that the configuration of iptables was used to start network interfaces, network services and routing. If these conditions are not met – there is a window of vulnerability between the operating system and regulations for the protection of a firewall. To implement this option, you can use the package iptables-persistent.
2. The startup rules iptables-persistent
By default, this package is not installed in the operating system. This embodiment of the autostart configuration is possible in operating systems Debian, Ubuntu. To install the package you want to execute the command:
sudo apt-get install iptables-persistent
This package first became available in Debian (Squeeze) and Ubuntu (Lucid). Used by this package iptables rules are stored in the following directories:
- /etc/iptables/rules.v4 to set the rules of IPv4;
- /etc/iptables/rules.v6 set of rules for the IPv6 Protocol.
But they must be stored in clear utility, iptables-persistent form.
Requirements for the format of the data files is not documented, which creates some difficulties to create these files manually. You can create them with dpkg-reconfigure:
sudo dpkg-reconfigure iptables-persistent
Or you can use iptables-save and ip6tables-save:
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6
If we had to be careful when installing the package, we should have seen Debian in 10 and recent versions of Ubuntu the package is a dependency for iptables-persistent: netfilter-persistent installed with the desired package. At https://packages.ubuntu.com view the contents of the package iptables-persistent, and we note that currently the package called iptables-persistent, and the main files are already part of the package netfilter-persistent.
Utility netfilter-persistent also allows you to manage startup rules. Here is its syntax:
sudo netfilter-persistent [action]
Where [action] can take the following values:
- start – brings up all the plugins start to load the rules in netfilter;
- stop – if configured reset Netfilter when you stop the plugin resets all firewall settings to default values. Otherwise, just issues a warning;
- flush – plug-ins are invoked with the parameter flush that resets the firewall rules to default;
- save – causes the plugin with the save parameter, allowing you to save the values of the firewall rules in the files on the disk;
- reload – not a documented option, there were cases when the start parameter did not work, helped call this option to load rules from a file on disk;
So, to keep rules, we can invoke the following command:
sudo netfilter-persistent save
To download the saved rules we can use command:
sudo netfilter-persistent start
Remark: After you install netfilter-persistent system if you are using iptables and the format of the storage files associated with it, begins when the work is to give a warning
# Warning: iptables-legacy tables present, use iptables-legacy to see them.
This is due to the new tuning and editing rules Netfilter – nftablesto migration on the utility of the old rules iptables you can use the automatic translator of rules iptables-translate. But that’s a topic for another article.
So, in this article, we looked at where are iptables rules and save the iptables rules after a reboot, I understood the configure script and startup package iptables-persistent.