Automatically loading iptables rules on Debian/Ubuntu

If you want your iptables rules automatically loaded every time your networking comes up on your Debian or Ubuntu server, you can follow these easy steps.

First, get your iptables rules set up the way you like them. Once you’ve verified that everything works, save the rules:

iptables-save > /etc/firewall.conf

Next, open up /etc/network/if-up.d/iptables in your favorite text editor and add the following:

#!/bin/sh
iptables-restore < /etc/firewall.conf

Once you save it, make it executable:

chmod +x /etc/network/if-up.d/iptables

Now, the rules will be restored each time your networking scripts start (or restart). If you need to save changes to your rules in the future, you can manually edit /etc/firewall.conf or you can adjust your rules live and run:

iptables-save > /etc/firewall.conf

Thanks to Ant for this handy tip.

  • Pingback: Circumventing Hulu Regional Restrictions in Mac OS X | langui.sh()

  • Bartek

    Thanks for the post but quick question, what’s the difference between doing this and just setting a line in /etc/network/interfaces?

    pre-up iptables-restore < /etc/iptables.up.rules

    Thanks!

  • http://rackerhacker.com major

    Bartek:

    That method would have the same effect. I normally just try to keep the /etc/network/interfaces clear of extra stuff, but that’s just my own personal preference. ;-)

  • Pingback: Best practices: iptables | Racker Hacker()

  • kit

    Hi,I have some problems about iptables rules under Ubuntu .
    Is it necessary to create some script llike that to build the firewall,Will the rules got lost when I restart the server.

    I create a simple firewall with the function of NAT,then restart the server.
    type commands below in the terminal:
    iptables -L -v

    But display nothing.
    And it seemd that the NAT function and the rules made last time are still available to use.

    Hoping for your email.
    Thanks.

  • http://rackerhacker.com Major Hayden

    Kit –

    Two have iptables start automatically with your ruleset, you have to do two things: save your ruleset somewhere and apply it at boot time. The documentation above shows you how to do that. If you simply apply your rules and reboot, your rules will be lost as soon as the machine powers down.

  • Pingback: Cargar reglas iptables automáticamente | pienso luego insisto()

  • Henkske

    Hello,

    thank you for this howto. It really helped me.

    Do you maybe also have a howto for a dns update script? I need a script that checks my dns adresses every 5 minutes for a ip change and update the FW if the ip is indeed changed.

  • Pingback: Edno360 - Best practices: iptables()

  • http://frankbasti.com Frank

    Thanks!
    This is the cleanest way i have seen to accomplish this.

    Coupled with iptables country blocking tuturial below, its the best way to get the Chinese Robots / Hackers to stop wasting my bandwidth.
    http://roberthaddon.blogspot.com

  • http://www.mayrundigmi.com Mayrun Digmi

    Thank you, very helpful.

  • http://cosmolinux.no-ip.org Ed

    Thank you for such a nice tutorial.

    I just wrote a different kind of tutorial on how to set up Arno IPTABLES firewall.
    May be it may help someone to setup his own firewall based on IPTABLES.
    You can find some examples for a mail server and for a Proxy server using SNAT and port forwarding.
    The location of my tutorial is here:

    http://cosmolinux.no-ip.org/raconetlinux2/arno_iptables_firewall.html

    I wish it is useful to someone.

  • Anna

    Thank you so much! Your advice was lifesaving! :)

  • David Gillies

    Debian and Ubuntu now offer the iptables-persistent package, which stores IPv4 and IPv6 rules in /etc/iptables/rules.v[4,6] respectively. These are reloaded at boot and can be updated with ip[,6]tables-save > /etc/iptables/iptables.v[4,6]

  • David Gillies

    Errm, sorry, ip[,6]tables-save > /etc/iptables/rules.v[4,6]

  • HG

    Testing right now on an iptables script under /etc/network/if-down.d/iptables
    with the following code
    #!/bin/sh
    iptables-save > /etc/firewall.conf

    this way all changes done and working will be auto saved and auto restored
    do you see any issue with this other than the obvious bringdown with the wrong rules?

    Thanks
    HG