Persistent Iptables Rules in Ubuntu 16.04 Xenial Xerus

iptables-save iptables-persistent

Persistent Iptables Rules in Ubuntu 16.04 Xenial Xerus

Aug 07, 2016

Firewall, Iptables, Linux, Security, Server, Sysadmin

David Egan

The process of persisting firewall rules in Ubuntu 16.04 is different to the procedure for 14.04.

The Firewall setup is broadly the same as for 14.04 as described here.

This article briefly describes how to import a set of rules for IPtables and make these rules persist across reboots.

Export Rules

If you’re exporting a ruleset from an existing Ubuntu 14.04 server, log in to this machine. Assuming that the iptables-persistent package is installed, run the following commands:

sudo iptables-save > ~/iptables-rules/ruleset-v4

sudo ip6tables-save > ~/iptables-rules/ruleset-v6

Copy these ruleset files across to a temporary location on your Ubuntu 16.04 server.

Install iptables-persistent

# Install package

sudo apt-get install iptables-persistent

# Start - Thanks to Dave Wood for the correction in the comments section

sudo service netfilter-persistent start

#Add to startup

sudo invoke-rc.d netfilter-persistent save

# Stop the service

sudo service netfilter-persistent stop

Import Rules

# Import Rules

sudo iptables-restore \< ~/serenity-iptables-rules/ruleset-v4

sudo ip6tables-restore \< ~/serenity-iptables-rules/ruleset-v6

# Check iptables

sudo iptables -S

Save Rules

To save the imported rules, run the iptables-persistent dpkg-reconfigure script:

sudo dpkg-reconfigure iptables-persistent

NOTE: The commands sudo netfilter-persistent save and sudo netfilter-persistent reload should work, but we’ve had problems with these commands and resorted to the dpkg-reconfigure option. It may be that a restart of the service is necessary after running these commands.

The dpkg-reconfigure causes iptables-persistent to repeat the install procedure - it will prompt for you to save the current rules. The current iptables rules will be saved into a file by means of iptables-save >/etc/iptables/rules.v4 and ip6tables-save >/etc/iptables/rules.v6. You should see your rules in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

The iptables-persistent package causes the following to run on reboot:

iptables-restore \< /etc/iptables/rules.v4

ip6tables-restore \< /etc/iptables/rules.v6

Persistent Rules and Fail2Ban

If you save iptables rules for restoration on reboot, and they contain rules added by Fail2Ban, Fail2Ban will duplicate the rules on boot. After a few reboots, the iptables can potentially get very messy.

To avoid this, stop the fail2ban service before saving the reconfiguration, and manually edit the saved rules to remove references to Fail2Ban. Rebooting should result in the correct rules being added, as Fail2Ban adds it’s own:

# Stop Fail2Ban

sudo fail2ban-client stop

# Configure Persistent Rules

sudo dpkg-reconfigure iptables-persistent

# Make a backup copy repeat for the v6 ruleset

sudo cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.bak

# Edit, remove references to Fail2Ban:

sudo nano /etc/iptables/rules.v4

# Reboot to apply proper rules & restart Fail2Ban# probably better to reload rules and restart Fail2Ban \- these are rough notes

sudo reboot