Persistent Iptables Rules in Ubuntu 16.04 Xenial Xerus
iptables-save
iptables-persistent
Persistent Iptables Rules in Ubuntu 16.04 Xenial Xerus
Aug 07, 2016
Firewall, Iptables, Linux, Security, Server, Sysadmin
David Egan
The process of persisting firewall rules in Ubuntu 16.04 is different to the procedure for 14.04.
The Firewall setup is broadly the same as for 14.04 as described here.
This article briefly describes how to import a set of rules for IPtables and make these rules persist across reboots.
Export Rules
If you’re exporting a ruleset from an existing Ubuntu 14.04 server, log in to this machine. Assuming that the iptables-persistent package is installed, run the following commands:
sudo iptables-save > ~/iptables-rules/ruleset-v4
sudo ip6tables-save > ~/iptables-rules/ruleset-v6
Copy these ruleset files across to a temporary location on your Ubuntu 16.04 server.
Install iptables-persistent
# Install package
sudo apt-get install iptables-persistent
# Start - Thanks to Dave Wood for the correction in the comments section
sudo service netfilter-persistent start
#Add to startup
sudo invoke-rc.d netfilter-persistent save
# Stop the service
sudo service netfilter-persistent stop
Import Rules
# Import Rules
sudo iptables-restore \< ~/serenity-iptables-rules/ruleset-v4
sudo ip6tables-restore \< ~/serenity-iptables-rules/ruleset-v6
# Check iptables
sudo iptables -S
Save Rules
To save the imported rules, run the iptables-persistent dpkg-reconfigure script:
sudo dpkg-reconfigure iptables-persistent
NOTE: The commands sudo netfilter-persistent save and sudo netfilter-persistent reload should work, but we’ve had problems with these commands and resorted to the dpkg-reconfigure option. It may be that a restart of the service is necessary after running these commands.
The dpkg-reconfigure causes iptables-persistent to repeat the install procedure - it will prompt for you to save the current rules. The current iptables rules will be saved into a file by means of iptables-save >/etc/iptables/rules.v4 and ip6tables-save >/etc/iptables/rules.v6. You should see your rules in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.
The iptables-persistent package causes the following to run on reboot:
iptables-restore \< /etc/iptables/rules.v4
ip6tables-restore \< /etc/iptables/rules.v6
Persistent Rules and Fail2Ban
If you save iptables rules for restoration on reboot, and they contain rules added by Fail2Ban, Fail2Ban will duplicate the rules on boot. After a few reboots, the iptables can potentially get very messy.
To avoid this, stop the fail2ban service before saving the reconfiguration, and manually edit the saved rules to remove references to Fail2Ban. Rebooting should result in the correct rules being added, as Fail2Ban adds it’s own:
# Stop Fail2Ban
sudo fail2ban-client stop
# Configure Persistent Rules
sudo dpkg-reconfigure iptables-persistent
# Make a backup copy repeat for the v6 ruleset
sudo cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.bak
# Edit, remove references to Fail2Ban:
sudo nano /etc/iptables/rules.v4
# Reboot to apply proper rules & restart Fail2Ban# probably better to reload rules and restart Fail2Ban \- these are rough notes
sudo reboot