15

I want my iptables rules to automatically be loaded on startup. According to the wiki on Debian this can be done by placing a script with the name iptables in /etc/network/if-pre-up.d/ So I did, this is what it looks like:

cat /etc/network/if-pre-up.d/iptables 
#!/bin/sh
/sbin/iptables-restore < /etc/firewall/iptables.rules
/sbin/ip6tables-restore < /etc/firewall/ip6tables.rules

This script works: if I run it as root my firewall rules get applied. But on reboot there are no firewall rules. What am I doing wrong?

On request: the /etc/network/interfaces (I did not touch this file)

user@DebianVPS:~$ cat /etc/network/interfaces 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
Cheiron
  • 458
  • 1
  • 4
  • 10
  • How do you configure your interfaces? Can you add /etc/network/interfaces file? – bayindirh May 27 '13 at 08:30
  • 1
    Please note that `/etc/network/if-pre-up.d/` does not work anymore in Ubuntu 18.04, see https://serverfault.com/questions/914493/ubuntu-18-04-doesnt-load-iptables-rules-after-reboot – BurninLeo Feb 02 '19 at 22:24

3 Answers3

11

This problem might be related to the permission bits of your script. What is the output of this command? Does it include your file?

run-parts --test /etc/network/if-pre-up.d
eppesuig
  • 313
  • 1
  • 10
  • run-parts --test /etc/network/if-pre-up.d gives /etc/network/if-pre-up.d/iptables, which seems the correct output to me? – Cheiron May 27 '13 at 08:56
  • 1
    ok, so, you should probably check when your script is run. Add a first line like this `(date; set; echo) >> /tmp/iptables-cmd.log`, so you will see when it is called. I always also print the environment in order to check for any argument passed there. You might decide to run your iptables only after last eth* interface is up, instead of running it every time an interface is added. – eppesuig May 27 '13 at 09:01
  • 3
    Now that you posted your `interfaces` I see that you are not using ifupdown, but network-manager. This is why your script is not called. Please check this document: http://ubuntuforums.org/showthread.php?t=1084308 – eppesuig May 27 '13 at 09:21
  • Well that explains a lot. I think now im just going with the answer of dawud, that seems to work either way. – Cheiron May 27 '13 at 09:26
  • 3
    run-parts is a bit picky about the name of scripts and having a dot in the filename was causing the script to be ignored at startup in my case. – alexm Aug 17 '13 at 15:55
7

Use the iptables-persistent package for this task.

Define your rules in /etc/iptables/rules.4 and /etc/iptables/rules.6 and don't forget to activate the service (using update-rc.d, chkconfig or you favourite tool.

dawud
  • 15,096
  • 3
  • 42
  • 61
  • 1
    At installation of the package, debconf asks you if you want to save the current rules. So, if you have the rules defined already, you can simply install the package. If you want to change them later, just `dpkg-reconfigure iptables-persistent`. – Braiam Apr 06 '16 at 23:30
0

Why not do it the easy way?

1 - create your iptables rules

2 - run "sudo apt-get install iptables-persistent" it will ask you if you want to save the rules and restore them after boot.

3- You are DONE

alex
  • 29
  • 1