Getting IPTables to survive a reboot

This site is now 100% read-only, and retired.

Getting IPTables to survive a reboot

Posted by ltackmann on Fri 6 Oct 2006 at 10:10

Tags: debian-specific commands, initscripts, iptables

Debian does not provide an initscript for iptables by default. This does however not mean that it is impossible to get firewall rules to survive a reboot.

Actually the Debian way is logical and works very well. First create some iptables rules and list them:

iptables --list

if the listed rules satisfy your needs, then save them somewhere. I use /etc/firewall.conf but this location is not fixed:

iptables-save > /etc/firewall.conf

Then create a script so ifupdown loads these rules on boot:

echo "#!/bin/sh" > /etc/network/if-up.d/iptables 
echo "iptables-restore < /etc/firewall.conf" >> /etc/network/if-up.d/iptables 
chmod +x /etc/network/if-up.d/iptables

Now reboot your machine and pray - the rules should come up exactly like before (use "iptables --list" to verify this).

Re: Getting IPTables to survive a reboot

Posted by Anonymous (81.74.xx.xx) on Fri 6 Oct 2006 at 10:39

On woody the /etc/init.d/iptables was present, on sarge they removed it (it's written in the README.debian), Why? it's very useful!

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by dreynolds (84.92.xx.xx) on Fri 6 Oct 2006 at 11:13

iptables-save and iptables-load could be your friend here...

--
Dave

Re: Getting IPTables to survive a reboot

Posted by peej (59.178.xx.xx) on Fri 6 Oct 2006 at 11:34

I haven't got my sarge system here, but I guess it's probably a bit of tidying up so that you could put it under /etc/network/if-up.d/ (that's what I have on my u**u machine).

Re: Getting IPTables to survive a reboot

Posted by Anonymous (62.209.xx.xx) on Fri 6 Oct 2006 at 11:45

I definately loved the /etc/init.d/iptables init script. If you issued:
/etc/init.d/iptables clean if no only purged the rules, but also set default policy to ACCEPT, for example. Now I copy the /etc/init.d/iptables script into newly installed systems.

Re: Getting IPTables to survive a reboot

Posted by tuxy (70.105.xx.xx) on Fri 6 Oct 2006 at 13:12

Third option is to use /etc/network/interface:
I.E:

iface eth0 inet dhcp
        pre-up iptables-restore < /etc/iptables.conf

Re: Getting IPTables to survive a reboot

Posted by Kellen (84.217.xx.xx) on Fri 6 Oct 2006 at 14:18
[ View Weblogs ]

Third option is to use /etc/network/interface...
I think this is the preferred "debian way" to properly start your firewall.

Re: Getting IPTables to survive a reboot

Posted by Anonymous (12.14.xx.xx) on Fri 6 Oct 2006 at 17:14

Suprising; I'd've thought that putting a file with those contents into /etc/network/if-preup.d/ would be preferred so that the iptables package could do it independent of any mucking around in /etc/network/interfaces

Re: Getting IPTables to survive a reboot

Posted by Anonymous (62.165.xx.xx) on Wed 26 Nov 2008 at 09:38

They have removed it because of serious vulnerabilities incompatible with real protection.

Re: Getting IPTables to survive a reboot

Posted by lykwydchykyn (66.236.xx.xx) on Fri 6 Oct 2006 at 17:55
[ View Weblogs ]

I have to confess... I just install webmin and use its iptables interface.

But now I understand why I never found an iptables configuration file anywhere, and why webmin generated its own config files.

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by drew (171.65.xx.xx) on Fri 6 Oct 2006 at 18:39

I'm a fan of creating a /etc/init.d/iptables script. Then I can easily open and close the firewall while I'm testing other services, and you can even put different levels of protection into it if necessary.

I think using an init script helps keep the interface to services standardized, which in general eases administration.

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by sonic2000gr (87.203.xx.xx) on Fri 6 Oct 2006 at 19:58

iptables-restore and iptables-save are indeed valuable. I have a small firewall tutorial, complete with a firewall start / stop script at my debian wiki site at http://debian12.dyndns.org. You may wish to have a look (Please note this is on my home server and is bound to be slow at times).

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by paulgear (203.206.xx.xx) on Sat 7 Oct 2006 at 01:17

I use shorewall. I find its concepts of dividing hosts into zones and then writing rules and policies to affect the flows between the two zones very intuitive, and it manages the iptables startup on all my firewalls. I even use an external script i wrote (shoregen) to push the same set of rules and policies to different firewalls.

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by sjpwong (59.167.xx.xx) on Mon 9 Oct 2006 at 02:14

I find shorewall great too, especially because it is fully supported on Ubuntu (can i mention that here?!).

Lately, I have been doing some work using Voyage Linux, a Sarge derivative that runs from CF on single-board computers like the WRAP or net4801.

I have found that Shorewall is very heavy on these 266MHz machines so needs some tweaking to run effectively. The biggest change I have had to make is to turn off logging as that bogged things down considerably. When I was using logging I reduced the log rate to the examples shown in the default config file and that was OK.

Re: Getting IPTables to survive a reboot

Posted by mar (217.11.xx.xx) on Mon 9 Oct 2006 at 09:10
[ View Weblogs ]

me too. shorewall is very intiutive in configuration. Probably a known tip, but nevermind -- i use simple script to reset my firewall periodically in crontab when mangling with the rules on remote host until im done

Re: Getting IPTables to survive a reboot

Posted by paulgear (203.206.xx.xx) on Mon 9 Oct 2006 at 09:26

Another alternative is to use the ADMINISABSENTMINDED=Yes option in shorewall.conf. This will cause RELATED and ESTABLISHED packets to be accepted, even if Shorewall is stopped.

Re: Getting IPTables to survive a reboot

Posted by reluctant (65.78.xx.xx) on Sat 7 Oct 2006 at 02:02

I use firestarter. For the small network, probably unnecessary with a router/firewall, but I installed it before I got the router and just kept it.

I use fail2ban to protect port 22 for ssh. It feeds IP tables with any brute-force-attacking IPs.

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by timur (80.240.xx.xx) on Sat 7 Oct 2006 at 02:51

Please check the ipmasq package

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by Anonymous (81.168.xx.xx) on Sat 7 Oct 2006 at 11:20

I'm sure many of you are only happy if you've personally hand crafted your iptables rules ...

... for those of us who need a little help, I've found this site most helpful:

http://www.lowth.com/LinWiz/1.09/

I would suggest that you don't use the real ip address in the form, then change it once you have your output stored locally.

Also, you may want to still tweak a little. In any event, I found it a useful way to get started when I was new to iptables.

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by shufla (83.16.xx.xx) on Sat 7 Oct 2006 at 16:26

Hello,

I had same problem, when on post-woody /etc/init.d/iptables was 'lost', so I've created my own basic script http://nowak.eu.org/blog/images/iptables, which installation is very simple: chmod 755 /etc/init.d/iptables and update-rc.d iptables defaults.

It is not ideal but works (at least for me).

Bye,
Luke

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by simonw (84.45.xx.xx) on Sat 7 Oct 2006 at 17:28
[ View Weblogs ]

My /etc/default/iptables script has this in the comments:

# Q: You concocted this init.d setup, but you do not like it?
# A: I was pretty much hounded into providing it. I do not like it.
# Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
# scripts use /etc/ppp/ip-*.d/ script. Create your own custom
# init.d script -- no need to even name it iptables. Use ferm,
# ipmasq, ipmenu, guarddog, firestarter, or one of the many other
# firewall configuration tools available. Do not use the init.d
# script.

If only I could remember where it came from....

I must have learnt something, I used guarddog for desktop boxes that need a firewall, the rules are difficult to read, but the gui was okay.

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by Kellen (84.217.xx.xx) on Sun 8 Oct 2006 at 09:45
[ View Weblogs ]

If you (or somebody else) reads Japanese, maybe this page provides some info.

Re: Getting IPTables to survive a reboot

Posted by nobrowser (75.30.xx.xx) on Fri 18 Mar 2011 at 17:49

The problem with all these alternative hooks is when you have multiple
interfaces (even just a wireless plus ehternet, like most laptops).
iptables-restore wipes out all existing rules before loading the new
ones. So, if you have just one script, when the second interface is
coming up, for a moment your other interface (the one that is already
up) is left bare.

You can solve this by having separate scripts and rule files for each
interface, or by being clever inside the script and only executing
iptables-restore once. But then it also gets more complex, increasing
the odds of a fatal mistake. That's why I feel that a single script
running directly under rcS, pretty early in the sequence, is best. I
guess debian doesn't do that because they may need ports open to mount
network filesystems like nfs; I hate nfs and never use it, so for me
that is not a consideration.

Re: Getting IPTables to survive a reboot

Posted by _bolek_ (80.55.xx.xx) on Tue 10 Oct 2006 at 17:06

hmm i think that way is very difficult :P
why becouse i know better way haw to keep a firewall over reboot.

#apt-get install rcconf
in this stage you have a two option
#cp /etc/firewall.conf /etc/init.d/firewall
or
#cd /etc/init.d/ && vi firewall
... create your iptables script ...
#chmod +x firewall
#update-rc.d firewall defaults 20 //if you want you cane do this but you can do this same if you use a only rcconf
or
#rcconf
when you run a rcconf you see list where you can select/deselect witch script from /etc/init.d will be run when you reboot or turn on your compyter/server

if you want change your firewall you must only edit a /etc/init.d/firewall

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by amosshapira (203.10.xx.xx) on Wed 18 Oct 2006 at 01:39

I'd add the following:

Make the saved file inaccessible to anyone but root.
Add "-c" to iptables-save's and iptable-restore's command line so you won't loose network statistics across reboots.

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by acme (201.236.xx.xx) on Sat 28 Oct 2006 at 00:01

Or you can use (and improve) ipkungfu

#apt-get install ipkungfu

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by Anonymous (194.106.xx.xx) on Sat 28 Oct 2006 at 13:59

works allright with 3.1 debian

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by Anonymous (81.18.xx.xx) on Mon 26 Feb 2007 at 11:05

or you can just add entire iptables code at the bototm of the /etc/init.d/rcS file. it works under any circumstances ;)

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by Anonymous (193.178.xx.xx) on Tue 29 Jun 2010 at 13:12

small coment very hard to see space in "#!/bin/sh"

[ Parent ]

Re: Getting IPTables to survive a reboot

Posted by nic (96.32.xx.xx) on Fri 8 Jul 2011 at 18:37

I found this site more up to date with newer versions of Debian:
http://wiki.debian.org/iptables

The shell script uses /etc/network/if-pre-up.d/iptables
and #!/bin/bash instead of #!/bin/sh

Still this is a great site :)

Re: Getting IPTables to survive a reboot

Posted by Anonymous (91.187.xx.xx) on Fri 9 Sep 2011 at 21:39

i think in ubuntu 11.04 u can't use #!/bin/sh it is my opinion that you MUST include the space as follows "#! /bin/sh"

[ Parent ]