Overview
The method described here has three steps:
- Install the
iptables-persistentpackage. - Place the required rulesets in the
/etc/iptablesdirectory. - Start the
iptables-persistentservice.
The second and third steps can be repeated whenever there is a need to change one or both of the rulesets.
Install the iptables-persistent package
On recent Debian-based systems the iptables configuration can be made persistent using the iptables-persistent package:
apt-get install iptables-persistent
This package first became available in Debian (Squeeze) and Ubuntu (Lucid).
Place the required rulesets in the /etc/iptables directory
Recent versions of iptables-persistent have two configuration files:
/etc/init.d/rules.v4for the IPv4 ruleset, and/etc/init.d/rules.v6for the IPv6 ruleset.
These pathnames are correct from version 0.5 of iptables-persistent onwards, corresponding to Debian (Wheezy) and Ubuntu (Oneiric). Prior to that, the IPv4 ruleset was located at /etc/init.d/rules (no suffix). IPv6 support was unavailable prior to version 0.0.20101230, corresponding to Debian (Wheezy) and Ubuntu (Natty).
The ruleset files should be in a format suitable for use by the iptables-restore or ip6tables-restore command as appropriate. Here is an example for configuring the IPv4 filter table:
# Generated by iptables-save v1.4.8 on Thu Jan 12 21:54:29 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [27:3068] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Thu Jan 12 21:54:29 2012
]The required format of this file does not appear to be well-documented, although a partial description can be found in the Iptables Tutorial. Fortunately there are alternatives to writing it from scratch:
- Recent versions of
iptables-persistentoffer to create the files from the current live configuration when the package is installed. You can arrange for this offer to be repeated using thedpkg-reconfigurecommand. - You can achieve the same effect more directly using the
iptables-saveandip6tables-savecommands, for example:
iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6
Start the iptables-persistent service
The iptables-persistent must be started or restarted for it to have an effect on the live configuration. In practice it should rarely be necessary to request this explicitly:
- If the rulesets were constructed from the current live configuration then there is no immediate need for
iptables-persistentto do anything, because the stored and live configurations are already in agreement. - The
iptables-persistentservice automatically starts when the system is rebooted.
You will need to explicitly start the service if you provide the rulesets by some other means:
service iptables-persistent start
Note that the versions of this package included with Squeeze, Lucid and Maverick respond only to start and not to restart, reload orforce-reload. This has since been fixed.
