In this post we will learn about how to save iptables permanently on Ubuntu.When we work on Red hat based Operating system like RHEL and CentOS.We can permanently set the iptables rule in /etc/sysconfig/iptables file .
When you work on Ubuntu Operating System,you may find you are only able to set the iptables rule temporarily. After using iptables command and system get restarted,the iptables rules will be cleared.
To make the iptables rules permanently set on Ubuntu system.We will use the package called iptables-persistent.
Save iptables permanently on Ubuntu
Follow the given below steps to set the iptables permanently in Ubuntu system.
Step 1: Install iptables-persistent package
sudo apt-get update sudo apt-get install iptables-persistent
On screen you will the get the choices for IPV4 and IPV6 rule set,to be installed.The screen will come during installation of iptables-persistent
The below given screen is for selecting IPv4
The below given screen is for selecting IPv6(if you do not want to install for IPv6,select no)
Step 2: The installation will take a few seconds/minutes. After installation of iptables-persistent get completed.Start the service
service iptables-persistent start
NOTE : Same way you can also restart/stop/reload the service
For stopping iptables-persistent service
service iptables-persistent stop
For restarting iptables-persistent service
service iptables-persistent restart
For reloading iptables-persistent service
service iptables-persistent reload
Step 3: The iptables-persistent service should be running. Now you can set the iptables rule and save it to applicable IP version (i.e IPv4/IPv6)
For eg. We want to set iptables (IPv4) for port no. 27017 and 28017 (i.e mongodb)
iptables -A INPUT -s 192.168.56.0/24 -m state --state NEW -p tcp --dport 27017 -j ACCEPT iptables -A INPUT -s 192.168.56.0/24 -m state --state NEW -p tcp --dport 28017 -j ACCEPT
This is important part.After setting rule,we will save the IPTABLES in /etc/iptables/rules.v4 file. Run the below command
iptables-save > /etc/iptables/rules.v4
Alternatively, rather than using the iptables-save command.You can also edit the /etc/iptables/rules.v4 file .
Be careful,the rules should be written above COMMIT word line.See the below given example
root@ubuntu:~# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.4.12 on Sun Feb 16 14:29:05 2014
*filter
:INPUT ACCEPT [34:2600]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17:1812]
-A INPUT -s 192.168.56.0/24 -p tcp -m state –state NEW -m tcp –dport 27017 -j ACCEPT
-A INPUT -s 192.168.56.0/24 -p tcp -m state –state NEW -m tcp –dport 28017 -j ACCEPT
COMMIT
# Completed on Sun Feb 16 14:29:05 2014
root@ubuntu:~#
When you have iptables with IPv6, follow the same steps.Instead of using command iptables-save > /etc/iptables/rules.v4.You have to use below given command
ip6tables-save > /etc/iptables/rules.v6
Similarly to IPv4,alternatively you can also edit the file /etc/iptables/rules.v6
Step 4: You can test the server by restarting the system.You can test the practical in staging machine,before applying it to production server.
The below given command will restart the system
sudo init 6
Note: The tutorial is about IPTABLE. Hence, we are not discussing about ufw command
I noticed you use the same save command for ipv4 and ipv6:
iptables-save > /etc/iptables/rules.v4
iptables-save > /etc/iptables/rules.v6
So both files will have the same content.
Is that right or it is a typo?.
Thank You Jesus Gomez,
The typo is fixed.
ip6tables-saveis for IPv6 .I really appreciate for fixing this typo.
Best Regards
Sharad