How to make iptables configuration persistent

Make iptables configuration persistent using basic system utilities or a designated boot-time loader.

Use basic system utilities

This simple solution is most suitable for a system with a single network interface.

Edit /etc/network/interfaces global configuration file or a specific interface configuration in /etc/network/interfaces.d/ directory to define pre-up and post-up options to save or load iptables configuration using /etc/firewall.rules file.

allow-hotplug eth0
iface eth0 inet static
  address 192.168.0.5
  netmask 255.255.255.0
  gateway 192.168.0.254
  pre-down iptables-save > /etc/firewall.rules
  post-up  iptables-restore < /etc/firewall.rules

Firewall configuration will be saved before taking the interface down and restored after bringing the interface up.

Use boot-time loader for firewall rules

Install iptables-persistent package.

$ sudo apt-get install iptables-persistent

Store IPv4 iptables configuration during installation process.

Store IPv6 iptables configuration during installation process.

Use dpkg-reconfigure to execute this step later.

$ sudo dpkg-reconfigure iptables-persistent

Ensure that netfilter-persistent will be enabled at boot.

$ sudo systemctl enable netfilter-persistent

Change FLUSH_ON_STOP variable in /etc/default/netfilter-persistent default configuration file to flush firewall rules when service is stopped. It is not necessary to perform this step if you want the default behaviour.

$ cat /etc/default/netfilter-persistent 
# Configuration for netfilter-persistent
# Plugins may extend this file or have their own

FLUSH_ON_STOP=0

IPv4 firewall rules are not saved automatically on system shutdown. Use the following command to update these.

$ iptables-save > /etc/iptables/rules.v4

IPv6 firewall rules are not saved automatically on system shutdown. Use the following command to update these.

$ ip6tables-save > /etc/iptables/rules.v6

Additional notes

Import iptables-persistent configuration before package installation to automate the whole process.

$ cat << EOF | sudo debconf-copydb pipe configdb --config=Name:pipe --config=Driver:Pipe  
Name: iptables-persistent/autosave_v4
Template: iptables-persistent/autosave_v4
Value: true
Owners: iptables-persistent
Flags: seen

Name: iptables-persistent/autosave_v6
Template: iptables-persistent/autosave_v6
Value: true
Owners: iptables-persistent
Flags: seen
EOF

Export iptables-persistent configuration using the following command.

$ sudo debconf-copydb configdb stdout         \
    --config=Name:stdout                 \
    --config=Driver:Pipe                 \
    --config=InFd:none                   \
    --pattern='^iptables-persistent/'

Read how to copy answers to the configuration questions for Debian packages for more detailed information.

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.