Ubuntu – How to make a specific set of iptables rules permanent

firewalliptablesrebootserverstartup

Is there a "best practice" or standard to make a few iptables rules permanent? I mean: automatically applied upon a system reboot?

I am using a VPS with Ubuntu Server 10.04 LTS (Lucid Lynx).

Thank you.

BIG EDIT: I don't want ANY rule to be persisted (like iptables-persistent package does). I want only my own specific set to be reloaded… if other rules are eventually added by running iptables, these should be discarded…

Best Answer

The simplest method is to use iptables-save and iptables-restore to save the currently-defined iptables rules to a file and (re)load them (e.g., upon reboot).

So, for instance, you would run

sudo iptables-save | sudo tee /etc/iptables.conf

to save your current iptables rules to /etc/iptables.conf and then insert these lines in /etc/rc.local:

# Load iptables rules from this file
iptables-restore < /etc/iptables.conf

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

When you send a HTTP request to the other server, you're using TCP. First, a SYN packet go outside to the other server from a random high port, then you'll receive a ACK response. Finally you send SYN/ACK to the server and the server responds with the requested document (in multiple packets). Your rules do not allow the ACK packet to be received and therefore the connection cannot be established. Add a rule like:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

You don't get iptables logs for free. Your rules should look like:

# if no rule matched, the input should be dropped
-P INPUT DROP

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# etc

# the limit prevents your logs from being flooded if there are a lot packets being captured
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied" --log-level debug

Note that I've omitted iptables before the commands, I recommend using iptables-restore (or iptables-apply for testing) to avoid locking yourself out if a rule fails to apply. The file to be passed to the command looks like:

*FILTER
# your rules here, for example:
-P INPUT DROP
-P INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

A newline after the COMMIT line is mandatory.

By default, the entries go to /var/log/kern.log. Not good if you want to differentiate between kernel and iptables messages, so create a filter for rsyslog in /etc/rsyslog.d/iptables.conf containing:

:msg,contains,"iptables denied" /var/log/iptables.log
& ~

This will filter iptables errors and send those to /var/log/iptables.log.

Ubuntu – How to set these iptables rules to run at startup

You may want to use the iptables-persistent package rather than mess with your boot scripts. First, run your script to set up the firewall rules. Secondly, run sudo apt-get install iptables-persistent, and follow the prompts. When it asks to save the current rules, hit "Yes" at both prompts. Now, on reboots, your iptables rules will be restored.

NOTE: If you change your rules after this, you will need to do the following command(s) after the changes:

To save your IPv4 iptables rules: sudo su -c 'iptables-save > /etc/iptables/rules.v4'

To save your IPv6 ip6tables rules: sudo su -c 'ip6tables-save > /etc/iptables/rules.v6'

Best Answer

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

Ubuntu – How to set these iptables rules to run at startup

Related Question