Source: DigitalOcean – Mitchell Anicas
When migrating from one server to another, it is often desirable to migrate the iptables firewall rules as part of the process. This tutorial will show you how to easily copy your active iptables rule set from one server to another.
This tutorial requires two servers. We will refer to the source server, which has the existing iptables rules, as Server A. The destination server, where the rules will be migrated to, will be referred to as Server B.
You will also need to have superuser, or
sudo, access to both servers.
View Existing Iptables Rules
Before migrating your iptables rules, let’s see what they are set to. You can do that with this command on Server A:
sudo iptables -S
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 126.96.36.199/32 -j DROP
The example rules above will be used to demonstrate the firewall migration process.
Export Iptables Rules
iptables-save command writes the current iptables rules to
stdout (standard out). This gives us an easy way to export the firewall rules to file, by redirecting
stdout to a file.
On the Server A, the one with the iptables rules that you want to migrate, use the
iptables-save to export the current rules to a file named « iptables-export » like this:
cd ~ sudo iptables-save > iptables-export
This will create the
iptables-export file, in your home directory. This file can be used on a different server to load the firewall rules into iptables.
View File Contents (Optional)
Let’s take a quick look at the file’s contents. We’ll use the
cat command to print it out to the terminal:
# Generated by iptables-save v1.4.21 on Tue Sep 1 17:32:29 2015 *filter :INPUT ACCEPT [135:10578] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [8364:1557108] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 188.8.131.52/32 -j DROP COMMIT # Completed on Tue Sep 1 17:32:29 2015
As you can see, the file contains the configuration of the active iptables rules. Now we’re ready to copy this file to our destination server, Server B.
Copy Exported Rules to Destination Server
We need to copy the rules file to our destination server, Server B. The easiest way to do this is to use
scp or to copy and paste the file contents to a new file on Server B. We will demonstrate how to use
scp to copy the file over the network to the
On Server A, run this
scp command. Be sure to substitute the highlighted parts with your server’s login and IP address:
scp iptables-export user@server_b_ip_address:/tmp
After providing proper authentication, the file will be copied to the
/tmp directory on Server B. Note that the contents of
/tmp are deleted upon a reboot—feel free to place it somewhere else if you want to preserve it.
Import Iptables Rules
With the exported rules on the destination server, you can load them into iptables. However, depending on your situation, you may want update the rules in the file with new IP addresses and ranges, and perhaps update interface names. If you want to change the rules before loading them, be sure to edit the
/tmp/iptables-export file now.
Once you are ready to load the rules from the
iptables-export file into iptables, let’s use the
iptables-restore command to do so.
On Server B, the destination server, run this command to load the firewall rules:
sudo iptables-restore < /tmp/iptables-export
This will load the rules into iptables. You can verify this with the
sudo iptables -S command.
Iptables rules are ephemeral, so special care must be taken for them to persist after a reboot—it is likely that you will want to perform this step on Server B. We will show you how to save the rules on both Ubuntu and CentOS.
On Ubuntu, the easiest way to save iptables rules, so they will survive a reboot, is to use the iptables-persistent package. Install it with apt-get like this:
sudo apt-get install iptables-persistent
During the installation, you will asked if you want to save your current firewall rules. Response
yes, if you want to save the current rule set.
If you update your firewall rules in the future, and want to save the changes, run this command:
sudo invoke-rc.d iptables-persistent save
CentOS 6 and Older
On CentOS 6 and older—CentOS 7 uses FirewallD by default—you can use the iptables init script to save your iptables rules:
sudo service iptables save
This will save your current iptables rules to the
/etc/sysconfig/iptables file, which gets loaded by iptables upon boot.
Congratulations! Your firewall rules have been migrated from your original server to your new one.