25

Every time I reboot I loose the iptables rules that took me so looong to enter. I know I can save them and restore them on boot, but is there anyway to save them forever? Do I really need to restore them on boot every time? Seriously?

The problem is I have a HUGE list of IPs in which I use a while loop to load them in. This can take upwards of 10 minutes.

This is my home FTP server. It's a small vm with 1gb ram and very little processing power. There are so many IPs because I've pretty much given up on the Asian continent. I don't need them to be hitting up my FTP server everyday with brute force. I also block gov. monitors, trackers and spammers.

This is the while loop I use to load in the list.

grep INPUT block.list | while read LISTA; do sudo iptables -A $LISTA; done
Santosh Kumar
  • 1,670
capdragon
  • 1,027

3 Answers3

35
apt-get install iptables-persistent

On install, it should save your current iptables config. Otherwise you can save them to these files (depending on v4 or v6) and iptables-persistent will load them on boot :)

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
Matt Fletcher
  • 453
  • 4
  • 6
25

First, create a file with the contents of iptables-save:

sudo iptables-save > /etc/iptables_rules

It doesn't really matter where you put the file, all you have to do is make sure that the next line refers to the same file. Next, open /etc/rc.local and add this line:

/sbin/iptables-restore < /etc/iptables_rules

From now on, every time your computer powers up or restarts iptables will load rules from the file that you specified.

gertvdijk
  • 67,947
pankaj sharma
  • 805
  • 1
    I get -bash: /etc/iptables_rules: Permission denied on the first command. Which is weird using sudo and all. – capdragon Mar 30 '12 at 14:57
  • 5
    I had to use sudo sh -c '/sbin/iptables-save > /etc/iptables.save' to get around the Permission denied error. Reference – capdragon Mar 30 '12 at 17:02
  • u can create file in any directory it is not mandatory to create file in /etc/ – pankaj sharma Mar 31 '12 at 05:16
  • 11
    I would not recommend using /etc/rc.local for this. It is executed later than the rest of your system startup and potentially leaving your system in a non-firewalled state. I would suggest to place this one-line script in /etc/network/if-up.d/firewall (new file). This makes sure it will be executed every time you enable your network interfaces. – gertvdijk Jan 21 '13 at 19:07
  • 2
    The permissions error is normal/expected. sudo applies only to the command before the ">", the file redirection is done separately by your shell. – ImaginaryRobots Jan 21 '13 at 19:55
  • To get around the permissions problem you can always pipe to 'sudo tee' instead of straight to file, eg '$ echo "foo" | sudo tee /etc/bar' – Neonfirelights Jan 12 '15 at 14:50
  • I used "systemctl enable iptables" to restore my rules. – MrMas Jun 29 '17 at 22:40
  • This solution no longer works from Ubuntu 16.04 onwards since Ubuntu no longer uses /etc/rc.local. – Mark Amery Apr 29 '19 at 11:05
2

If you do have a lot of rules you should also consider using ipset in conjunction with iptables. Ipset uses an indexed database table and is a lot faster than iptables when looking up an address to decide whether to accept or deny.

http://ipset.netfilter.org/index.html

Bob Brunius
  • 641
  • 2
  • 6
  • 11