Reloading iptables

Question

I made changes to iptables config file in /etc/iptables/filter in Ubuntu and want to reload them. I read the man page and also googled but couldn't find the information. Any help will be appreciated.

Answer 1

Normally your firewall rules are in the config file /etc/iptables.firewall.rules

To activate the rules defined in your file you must send them to iptables-restore (you can use another file if you want):

sudo iptables-restore < /etc/iptables.firewall.rules

And you can check that they are activated with:

sudo iptables -L

If you want to activate the same rules each time you boot the computer create this file:

sudo nano /etc/network/if-pre-up.d/firewall

With this content:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

And give it permission of execution:

sudo chmod +x /etc/network/if-pre-up.d/firewall

Hope it helps you =)

Example file for /etc/iptables.firewall.rules:

*filter
Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
Allow SSH connections

The -dport number should be the same port number you set in sshd_config

-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Allow ping
-A INPUT -p icmp -j ACCEPT
Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

Edit 2021-08:

Just had an issue upgrading to Ubuntu 20.04.2 LTS. The location of iptables-restore changed from /sbin/iptables-restore to /usr/sbin/iptables-restore.

Be sure to check with whereis iptables-restore your system location or your network interface will not be raised.

If you don't have network after an upgrade, you can check the reason with sudo systemctl status networking.service -l, on my case:

Failed to start Raise network interfaces.
if-pre-up.d/firewall: 2: /sbin/iptables-restore: not found

Answer 2

Easiest way is to reboot (also if below does not work, reboot, check if that made the change).

Second easiest is to restart the daemons using iptables configurations (google: restart daemon ubuntu).

examples (depends your configuration):

/etc/init.d/iptables restart  

/etc/init.d/networking restart  

/etc/init.d/firewall restart

Answer 3

If you've executed your rules they are already running and no reloading is necessary. In case where you have a configuration file but it hasn't been executed best way I've seen so far is to use iptables-apply (an iptables extension).

iptables-apply -t 60 your_rules_file

This will apply the rules for 60 seconds (10 by default) and revert them if you don't confirm them. This will save you in case you are thrown out of the system because of the rules (ex. if you are operating through ssh).

You can use the following as a replacement:

iptables-restore < your_rules_file; sleep 60; iptables-restore < clean_rules

Answer 4

sudo ufw reload

Will reload firewall and its rules.

(Assuming you're using ufw on top of iptables.)

Answer 5

After googling a little, this is what i found to restart iptables. . . sudo /etc/init.d/firewall restart

Answer 6

If you want to reload IPtables to validate changes you have just made; you can also restart Apache with the command lines below:

/etc/init.d/apache2 stop

/etc/init.d/apache2 start

These command may vary depending on your flavor of Ubuntu, and eventual modifications that may have been made previously.

Hope this helps.

Pierre