iptables-persistent is an ‘init.d’ script (aimed at Debian) to make iptables rules persistent over reboots.
This one is modified to handle fail2ban’s rules reloading and to be compatible with ip6tables for IPv6-enabled servers. Included is an homemade multipurpose config.
Feedback and merge requests welcomed !
Based on Debian’s iptables-persistent package that loads iptables rules using rules specified at
This one is modified to properly handle fail2ban’s rules reloading when starting/stopping/reloading iptables’s rules via iptables-persistent (fail2ban inserts its own rules at the beginning of iptables current ruleset when (re)started). If fail2ban is not installed, iptables-persistent will ignore any action related to file2ban.
For IPv6 enabled servers, ip6tables rules management is properly handled too, by activating the corresponding parameter in the configuration file (see below).
Provided is an example set of rules as quickstart. You should review it and adapt it to your needs.
- copy the init.d script
/etc/init.d/and make it executable
/etc/default/iptables-persistent.confand edit it to suit your needs
/etc/iptables/rulesand edit it to suit your needs
/etc/iptables/ipv6_rulesand edit it to suit your needs (you can copy this file even if you don’t activate IPv6 support in the configuration, it will be ignored)
- make iptables-persistent to be lauched at startup
update-rc.d iptables-persistent defaults
/etc/default/iptables-persistent.conf to set the following parameters:
SAVE_NEW_RULES (default: 0) – if set different than 0 then the current iptables ruleset will be saved with iptables-save when iptables-persistent is stopped (or restarted)
MODULES (default: “”) – a space-separated list of the modules that iptables-persistent should load/unload. Useful to activate FTP connection tracking for example.
IPV6 (default: 0) – if set different than 0 it will additionnaly use ip6tables to handle the loading/unloading of the ruleset stored at /etc/iptables/ipv6_rules
ENABLE_ROUTING (default: 0) – if set different than 0 then routing is enabled (in
/proc/sys/net/ipv6/conf/all/forwarding), otherwise it’s not.