DEV Community

Or Yaacov
Or Yaacov

Posted on

3 ways to make iptables persistent

If you are using iptables, it's very likely that you wish to make it persistent, and restore your firewall rules after a reboot.

I'll present here 3 ways to make your iptables persistent:

  1. using systemd,my personal favorite way, since it works for all Linux distributions and without requiring 3rd party software.
  2. using iptables-persistent mostly for DEB-based Linux distributions, required 3rd party software
  3. using iptables-services for RPM-based Linux distributions, required 3rd party software

systemd

systemd is a system and service manager for Linux operating systems. Using systemd we can run a script file after boot, that will restore our firewall rules and make it persistent without installing a 3rd party software.
first let's create the script that we wish to run to restore our firewall:
sudo vi /etc/iptables-persistent/restore.sh

with the following script:
#!/bin/sh
/usr/bin/flock /run/.iptables-restore /sbin/iptables-restore < {{your ip tables dump file}}

next we will need to create an host file for our systemd service using:
sudo vi /etc/systemd/system/iptables-persistent.service

and paste the following
[Unit]
Description=iptables persistent service
ConditionFileIsExecutable=/etc/iptables/restore-iptables.sh
After=network.target
[Service]
Type=forking
ExecStart=/etc/iptables/restore-iptables.sh
start TimeoutSec=0
RemainAfterExit=yes
GuessMainPID=no
[Install]
WantedBy=multi-user.target

great, now all that is left to do is simply enable our service by running the following command:
sudo systemctl enable iptables-persistent.service

iptables-persistent (DEB)

iptables-persistent automatically loads your saved ip-tables rules after a reboot.
First step will be to install iptables-persistent using sudo apt-get install iptables-persistent
since iptables-persistant will look for two dump files:

/etc/iptables/rules.v4 #for ipv4 rules
/etc/iptables/rules.v6 #for, wait for it, ipv6 rules

which you can easily create running the following commands:
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

Depends on your OS version, behind the scenes iptables-persistent works with netfilter-persistent.service you can verify that your service up and running using sudo systemctl status netfilter-persistent.service

and your output should look like the following:

netfilter-persistent.service - netfilter persistent
configuration
 Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; ve
 Active: active (exited) since Sat 2022–04–09 18:14:42 IDT; 29min ago

iptables-services (RPM)

iptables-services contains a persistent utility that loads your saved ip-tables rules after a reboot.
Let's start with installing iptables-services using sudo dnf install iptables-services
after installing iptables-services we will need to make sure that our service is up and that firewalld is disabled and won't interfere with our iptables configuration, using the following commands:
sudo systemctl stop firewalld
 sudo systemctl disable firewalld
 sudo systemctl start iptables
 sudo systemctl enable iptables

since iptables-services will look for two dump files:

/etc/sysconfig/iptables #for ipv4 rules
/etc/sysconfig/ip6tables #for, wait for it, ipv6 rules

which you can easily create running the following commands:
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

and that's it, you can feel free to reboot your machine without losing your changes :)

Discussion (0)