When you create firewall rules with iptables on Linux, you want to make them persistent over reboot, because they are not by default. Different Linux distributions have different methods of achieving this, although the basics are similar. I’ve been working with Debian, Red Hat Enterprise Linux and SUSE Linux Enterprise Server and in this blog I’ll describe how to configure each of them to save your iptables rules across reboots.
First the good news: the iptables package, the administration tool for packet filtering and NAT, always ships with Linux distributions. The package also includes the ‘iptables-save‘ and ‘iptables-restore‘ tools. These do what you might already expect from their names: save or restore iptables rules. ‘iptables-save‘ outputs to stdout, which you can save to a file:
iptables-save > /etc/iptables/rules
To load these again:
iptables-restore < /etc/iptables/rules
These really are the basics that work across Linux distributions and that you can use in your custom boot scripts. In addition to this, each Linux distribution has its own way to make this process easier.
Red Hat Enterprise Linux (RHEL):
RHEL (and the same counts for CentOS and Fedora) has some built in mechanism to help automate this. First of all, there are some settings in ‘/etc/sysconfig/iptables-config‘:
IPTABLES_SAVE_ON_STOP=”yes”
IPTABLES_SAVE_ON_RESTART=”yes”
You can set them to “yes” to have persistent iptables rules. In fact, there are many more settings in that file that allow for finer control. That’s all, since the rest is handled automatically.
At any time it’s possible to save the current state. Just run:
service iptables save
And it will, like on reboot, save the rules to: ‘/etc/sysconfig/iptables‘. Pretty easy and pretty powerful!
SUSE Linux Enterprise Server (SLES 11):
SLES (and the same counts for OpenSUSE) is yet another story. SLES 11 now ships with SUSE Firewall. Instead of defining the rules yourself, you tell Yast what you want to achieve and it generates the needed iptables rules for you. Although SUSE Firewall does allow you to add custom rules, it isn’t really designed for it. The tool is pretty nice though, because it integrates fully with Yast and allows for easy maintenance of rules. When you install a package, it automatically opens the associated port, for example.
This all might seems a bit scary for us sysadmins, right?! Don’t worry, it’s still possible to manage rules on your own by disabling SUSE Firewall. But have a look at it first, as you might as well like it.
To start the SUSE Firewall admin module, run:
yast2 firewall
The interface is pretty self-explaining. Afterwards, to activate the changes run:
SuSEfirewall2
It’s even possible to by-pass Yast, and edit the config file directly. It’s safe to combine the two methods, no problem.
vim /etc/sysconfig/SuSEfirewall2
For example, to open a port you’d edit the ‘FW_SERVICES_EXT_TCP’ variable. Just make a list (space separated) with protocols you want to allow. These protocols refer to files in ‘/etc/sysconfig/SuSEfirewall2.d’.
Like with using Yast, activate the changes when you’re done.
SuSEfirewall2
I’ve used it for some time and it’s actually pretty easy. It just depends on the project whether or not to use it, I guess.
Debian
When I was using Debian (same counts for Ubuntu as well), I used to create a small shell script and place it in ‘/etc/network/if-pre-up.d’. Just before the network interface is brought up, the iptables rules will be restored. The idea is to do the same when the interface goes down (use the ‘/etc/network/if-post-down.d’ folder to place the script in). Using these thechniques, you can create something and have fine control over it.
Recently I heard about a tool called ‘iptables-persistent’ that can automate this out-of-the-box. Here’s the package description:
iptables-persistent - boot-time loader for iptables rules: Current iptables rules can be saved to the configuration file '/etc/iptables/rules.v4'. These rules will then be loaded automatically during system startup.
To install it:
sudo apt-get install iptables-persistent
During install, the program asks to save both ipv4 and ipv6 iptables rules. Please note this counts for Wheezy, the current stable release uses the file ‘/etc/iptables/rules’.
To manually save the iptables rules, run:
/etc/init.d/iptables-persistent save
Although this should be done automatically when you reboot. It looks like the Red Hat way of doing things, but just with an extra package installed.
Conclusion:
iptables all over the place, just with different tooling to automate it 🙂
Thank you for such a nice tutorial.
I just wrote a different kind of tutorial on how to set up Arno IPTABLES firewall.
May be it may help someone to setup his own firewall based on IPTABLES.
You can find some examples for a mail server and for a Proxy server using SNAT and port forwarding.
The location of my tutorial is here:
http://cosmolinux.no-ip.org/raconetlinux2/arno_iptables_firewall.html
I wish it is useful to someone.
Thanks Ed!
Hi Remi,
Nice tutorial, thanks.
Question about SLES11:
What did you mean by ” it’s still possible to manage rules on your own by disabling SUSE Firewall”?
If you disable the firewall by stopping these two services (SuSEfirewall2_init and SuSEfirewall2_setup), you can use the “standard” style of iptables (service iptables start/stop/…)?
If not, is it possible to use the standard way ?
Thanks for your help.
Regards,
Jean-Claude
Yes, you can always disable the SUSE firewall and use the standard iptables commands instead. Make sure the iptables package is installed and you’re good to go.
Thanks Remi
Hi nice work.
Can you explain me how i do this https://www.privacy-handbuch.de/handbuch_92.htm
on SusSE leap?
So disabling SUSE lets you use standard. I’m kind of a noob so I’m very invested in, first of all, not braking anything 😀
For iptables automation purposes I recently discovered this tool: https://www.efw.io/firewall/manager
One can automate rules& policies through a pretty intuitive GUI, instead of appending them through the command line. It might just help another idiot like me!