iptables-persistent

With Red Hat based distributions ( Centos, Sciencific Linux, Oracle Linux, Fedora 😉 ) adding new iptalbes rules is as easy as editing /etc/sysconfig/iptables or running iptables-save after adding new rules – iptables-save will automatically edit /etc/sysconfig/iptables and add new rules there.

For Debian,there is also an easy way to ensure iptables rules to start on boot – use iptables-persistent package which is an boot-time loader for iptables rules.

#aptitude install iptables-peristent

After installation we can find files which are part of iptables-persistent

#dpkg -S iptables-persistent
iptables-persistent: /usr/share/doc/iptables-persistent/README
iptables-persistent: /usr/share/doc/iptables-persistent
iptables-persistent: /etc/init.d/iptables-persistent
iptables-persistent: /usr/share/doc/iptables-persistent/changelog.gz
iptables-persistent: /usr/share/doc/iptables-persistent/copyright

for us is interesting /etc/init.d/iptables-persistent script,from where we see


load_rules()
{
        log_action_begin_msg "Loading iptables rules"

        #load IPv4 rules
        if [ ! -f /etc/iptables/rules.v4 ]; then
                log_action_cont_msg " skipping IPv4 (no rules to load)"
        else
                log_action_cont_msg " IPv4"
                iptables-restore  /dev/null
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi

        #load IPv6 rules        
        if [ ! -f /etc/iptables/rules.v6 ]; then
                log_action_cont_msg " skipping IPv6 (no rules to load)"
        else
                log_action_cont_msg " IPv6"
                ip6tables-restore  /dev/null
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi

        log_action_end_msg $rc
}

if you have ipv4 rules,then they will be saved in /etc/iptables/rules.v4, in case of ipv6 rules, they will go to /etc/iptables/rules.v6

Rough steps may be, create iptables script file,test….test it,execute it, save rules with iptables-save > /etc/iptables/rules.v4,and that is.iptables-save will send them to /etc/iptables/rules.v4 ( for ipv6, you will need to use ip6tables commands in order to update /etc/iptables/rules.v6 file ) – next time machine boots, iptables-persistent will read and apply them from there.

Advertisements

#debian-iptables-iptables-persistent-security