Make the configuration of iptables persistent (Debian)
Objective
To make the configuration of iptables persistent on a Debian-based system
Background
The iptables and ip6tables commands can be used to instruct Linux to perform functions such as firewalling and network address translation, however the configuration that they create is non-persistent so is lost whenever the machine is rebooted. For most practical applications this is not the desired behaviour, so some means is needed to reinstate the configuration at boot time.
For security, the iptables configuration should be applied at an early stage of the bootstrap process: preferably before any network interfaces are brought up, and certainly before any network services are started or routing is enabled. If this is not done then there will be a window of vulnerability during which the machine is remotely accessible but not firewalled.
Scenario
Suppose you have a machine that you wish to protect using a firewall. You have written iptables and ip6tables rulesets, and wish to install them so that they will remain active if the machine is rebooted.
Method
Overview
The method described here has three steps:
- Install the
iptables-persistentpackage. - Place the required rulesets in the
/etc/iptablesdirectory. - Start the
iptables-persistentservice.
The second and third steps can be repeated whenever there is a need to change one or both of the rulesets.
Install the iptables-persistent package
On recent Debian-based systems the iptables configuration can be made persistent using the iptables-persistent package:
apt-get install iptables-persistent
This package first became available in Debian (Squeeze) and Ubuntu (Lucid).
Place the required rulesets in the /etc/iptables directory
Recent versions of iptables-persistent have two configuration files:
/etc/iptables/rules.v4for the IPv4 ruleset, and/etc/iptables/rules.v6for the IPv6 ruleset.
These pathnames are correct from version 0.5 of iptables-persistent onwards, corresponding to Debian (Wheezy) and Ubuntu (Oneiric). Prior to that, the IPv4 ruleset was located at /etc/init.d/rules(no suffix). IPv6 support was unavailable prior to version 0.0.20101230, corresponding to Debian (Wheezy) and Ubuntu (Natty).
The ruleset files should be in a format suitable for use by the iptables-restore or ip6tables-restorecommand as appropriate. Here is an example for configuring the IPv4 filter table:
# Generated by iptables-save v1.4.8 on Thu Jan 12 21:54:29 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [27:3068] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Thu Jan 12 21:54:29 2012
The required format of this file does not appear to be well-documented, although a partial description can be found in the Iptables Tutorial. Fortunately there are alternatives to writing it from scratch:
- Recent versions of
iptables-persistentoffer to create the files from the current live configuration when the package is installed. You can arrange for this offer to be repeated using thedpkg-reconfigurecommand. - You can achieve the same effect more directly using the
iptables-saveandip6tables-savecommands, for example:
iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6
Start the iptables-persistent service
The iptables-persistent must be started or restarted for it to have an effect on the live configuration. In practice it should rarely be necessary to request this explicitly:
- If the rulesets were constructed from the current live configuration then there is no immediate need for
iptables-persistentto do anything, because the stored and live configurations are already in agreement. - The
iptables-persistentservice automatically starts when the system is rebooted.
You will need to explicitly start the service if you provide the rulesets by some other means:
service iptables-persistent start
Note that the versions of this package included with Squeeze, Lucid and Maverick respond only to start and not to restart, reload or force-reload. This has since been fixed.