How to permanently update iptables

Question

I'm trying to redirect http traffic to port 8080 on the same machine and have the iptables rules below working.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

I'm trying to figure out how to make this change permanent incase of a reboot of the system.

I'm using Ubuntu 11.10 server.

http://askubuntu.com/questions/66890/how-can-i-make-a-specific-set-of-iptables-rules-permanent — azerafati, Jul 13 '16 at 07:00

yomimono · Answer 1 · 2014-07-24T20:14:00.217

136

Ubuntu (and Debian) offer the package iptables-persistent (Debian: http://packages.debian.org/wheezy/iptables-persistent , Ubuntu: http://packages.ubuntu.com/saucy/iptables-persistent) , which does exactly what you want. As root, or via sudo:

apt-get install iptables-persistent
iptables-save > /etc/iptables/rules.v4

If you're working with ip6tables, you'll want to also ip6tables-save > /etc/iptables/rules.v6.

You must save the tables again (iptables-save > /etc/iptables/rules.v4, ip6tables-save > /etc/iptables/rules.v6) after any change you make.

On older versions (before iptables-0.5, and before Debian Wheezy) you will need write to a different file:

iptables-save > /etc/iptables/rules

edited Jul 24 '14 at 20:14

answered Oct 11 '12 at 23:11

yomimono

1,583
2
10
12

12

In case it helps anyone else... it took me a while to track down that I really needed to do this: iptables-save > /etc/iptables/rules.v4 – mdahlman Jul 01 '13 at 04:58
9

If you're using IPv6 too, it can be a pain to make sure the rules get to the right place. You can run the following to make that happen, automagically: `invoke-rc.d iptables-persistent save` – Ted Pennings Aug 25 '13 at 16:44
1

@mdahlman depends on the Debian/Ubuntu version. I believe Debian <7 requires `> /etc/iptables/rules` and 7+ requires `> /etc/iptables/rules.v4` – Wilfred Hughes Nov 25 '13 at 12:35
1

@WilfredHughes ahh... that is very interesting. yomimomo, if you update your answer with an authoritative explanation of which versions of Ubuntu need which variation of the command you would be a hero. – mdahlman Nov 27 '13 at 06:18
Looks like the change was in iptables-0.5 , from the Ubuntu changelog; http://changelogs.ubuntu.com/changelogs/pool/universe/i/iptables-persistent/iptables-persistent_0.5.7/changelog , so anything after that will need rules.v4 . – yomimono Dec 02 '13 at 21:49
6

dpkg-reconfigure iptables-persistent if you want to rerun and save, not ideal but quick and dirty. – depicus May 27 '14 at 21:04
note that you can reload iptables without rebooting just with the command `service iptables-persistent restart` – Guillaume Vincent Aug 07 '14 at 08:55
1

Just for the record, the other way is to run `service iptables-persistent save`. This one and the one suggested by @TedPennings should be preferred way instead of direct write to destination files. – loshad vtapkah Apr 30 '16 at 11:28
You may set iptables values before installing iptables-persistent package. When you install the package, it will pop up for saving current iptables values. So convenient. – Menway Feb 15 '17 at 16:00

vinod_garag · Accepted Answer · 2018-02-03T14:10:58.283

19

One way to do this would be:

vim /etc/network/interfaces

Append the below line along with your lo directives:

post-up /sbin/iptables-restore < /etc/iptables-up.rules

Now run the below command

iptables-save > /etc/iptables-up.rules

I hope this helps.

edited Feb 03 '18 at 14:10

answered Sep 17 '12 at 07:12

vinod_garag

428
1
5
9

10

Whoever finds this should consider the much better answer about `iptables-persistent` by yomimono below. – zakx May 27 '14 at 13:21
1

Never use it this way, that leaves a window open at least for a moment wrong connection can be considered `ESTABLISHED`. Interface should be `lo` (loopback) instead of `eth0` and `pre-up` instead of `post-up`. – poige Sep 06 '14 at 10:56
I get a permission denied when trying to write to `/etc`, even in root mode – puk Jul 17 '15 at 08:00
Agree with Zakx and Poige, this is one approach out of many but nothing wrong in it. @Poige I had issues with pre-up if there are any errors in iptables-up.rules file hence suggested post-up. – vinod_garag Feb 03 '18 at 14:23
`pre-up …something_that_can_fail… || :` – poige Feb 03 '18 at 18:12

score 6 · Answer 3 · edited Oct 06 '12 at 13:58

6

Can't we do the same thing with rc.local but perform the following steps

iptables-save > current_iptables_rules

Then go into /etc/rc.local and enter the following

iptables-restore < current_iptables_rules

Won't that accomplish the same thing? I could be missing something.

edited Oct 06 '12 at 13:58

Uwe Keim

39,551
56
175
291

answered Oct 06 '12 at 02:05

Todd

69
1
1

Yes this should work as well. – vinod_garag Feb 03 '18 at 14:24

score 2 · Answer 4 · answered Feb 17 '12 at 15:15

2

Add them to /etc/ufw/before.rules. The syntax is a little different but you'll see how it works.

UFW is the Ubuntu firewall frontend to iptables. You might need to enable UFW using sudo ufw enable, but you can just not set any rules inside ufw.

answered Feb 17 '12 at 15:15

Chris

16,872
1
15
16

How to permanently update iptables

4 Answers4

Linked