How To Migrate Iptables Firewall Rules to a New Server

Print Friendly, PDF & Email

Source: DigitalOcean – Mitchell Anicas


When migrating from one server to another, it is often desirable to migrate the iptables firewall rules as part of the process. This tutorial will show you how to easily copy your active iptables rule set from one server to another.


This tutorial requires two servers. We will refer to the source server, which has the existing iptables rules, as Server A. The destination server, where the rules will be migrated to, will be referred to as Server B.

You will also need to have superuser, or sudo, access to both servers.

View Existing Iptables Rules

Before migrating your iptables rules, let’s see what they are set to. You can do that with this command on Server A:

sudo iptables -S
Example output:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

The example rules above will be used to demonstrate the firewall migration process.

Export Iptables Rules

The iptables-save command writes the current iptables rules to stdout (standard out). This gives us an easy way to export the firewall rules to file, by redirecting stdout to a file.

On the Server A, the one with the iptables rules that you want to migrate, use the iptables-save to export the current rules to a file named « iptables-export » like this:

cd ~
sudo iptables-save > iptables-export

This will create the iptables-export file, in your home directory. This file can be used on a different server to load the firewall rules into iptables.

View File Contents (Optional)

Let’s take a quick look at the file’s contents. We’ll use the cat command to print it out to the terminal:

cat iptables-export
iptables-export contents:
# Generated by iptables-save v1.4.21 on Tue Sep  1 17:32:29 2015
:INPUT ACCEPT [135:10578]
:OUTPUT ACCEPT [8364:1557108]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Completed on Tue Sep  1 17:32:29 2015

As you can see, the file contains the configuration of the active iptables rules. Now we’re ready to copy this file to our destination server, Server B.

Copy Exported Rules to Destination Server

We need to copy the rules file to our destination server, Server B. The easiest way to do this is to use scp or to copy and paste the file contents to a new file on Server B. We will demonstrate how to use scp to copy the file over the network to the /tmp directory.

On Server A, run this scp command. Be sure to substitute the highlighted parts with your server’s login and IP address:

scp iptables-export user@server_b_ip_address:/tmp

After providing proper authentication, the file will be copied to the /tmp directory on Server B. Note that the contents of /tmp are deleted upon a reboot—feel free to place it somewhere else if you want to preserve it.

Import Iptables Rules

With the exported rules on the destination server, you can load them into iptables. However, depending on your situation, you may want update the rules in the file with new IP addresses and ranges, and perhaps update interface names. If you want to change the rules before loading them, be sure to edit the /tmp/iptables-export file now.

Once you are ready to load the rules from the iptables-export file into iptables, let’s use the iptables-restore command to do so.

On Server B, the destination server, run this command to load the firewall rules:

sudo iptables-restore < /tmp/iptables-export

This will load the rules into iptables. You can verify this with the sudo iptables -S command.

Save Rules

Iptables rules are ephemeral, so special care must be taken for them to persist after a reboot—it is likely that you will want to perform this step on Server B. We will show you how to save the rules on both Ubuntu and CentOS.


On Ubuntu, the easiest way to save iptables rules, so they will survive a reboot, is to use the iptables-persistent package. Install it with apt-get like this:

sudo apt-get install iptables-persistent

During the installation, you will asked if you want to save your current firewall rules. Response yes, if you want to save the current rule set.

If you update your firewall rules in the future, and want to save the changes, run this command:

sudo invoke-rc.d iptables-persistent save

CentOS 6 and Older

On CentOS 6 and older—CentOS 7 uses FirewallD by default—you can use the iptables init script to save your iptables rules:

sudo service iptables save

This will save your current iptables rules to the /etc/sysconfig/iptables file, which gets loaded by iptables upon boot.


Congratulations! Your firewall rules have been migrated from your original server to your new one.

Related Post