iptables-persistent

Description

iptables-persistent is an ‘init.d’ script (aimed at Debian) to make iptables rules persistent over reboots.

This fork is modified to handle fail2ban’s rules reloading and to be compatible with ip6tables for IPv6-enabled servers. Included is an homemade multipurpose config.

Project page

https://github.com/zertrin/iptables-persistent

Feedback and merge requests welcomed !

README

This is a fork based on Debian’s iptables-persistent package that loads iptables rules using rules specified at /etc/iptables/rules

This fork is modified to properly handle fail2ban’s rules reloading when starting/stopping/reloading iptables’s rules via iptables-persistent (fail2ban inserts its own rules at the beginning of iptables current ruleset when (re)started). If fail2ban is not installed, iptables-persistent will ignore any action related to file2ban.

For IPv6 enabled servers, ip6tables rules management is properly handled too, by activating the corresponding parameter in the configuration file (see below).

Provided is an example set of rules as quickstart. You should review it and adapt it to your needs.

Installation

To use:

  • copy the init.d script iptables-persistent to /etc/init.d/ and make it executable
  • copy iptables-persistent.conf to /etc/default/iptables-persistent.conf and edit it to suit your needs
  • copy rules to /etc/iptables/rules and edit it to suit your needs
  • copy ipv6_rules to /etc/iptables/ipv6_rules and edit it to suit your needs (you can copy this file even if you don’t activate IPv6 support in the configuration, it will be ignored)
  • make iptables-persistent to be lauched at startup
    update-rc.d iptables-persistent defaults

Configuration variables

Edit /etc/default/iptables-persistent.conf to set the following parameters:

SAVE_NEW_RULES (default: 0) – if set different than 0 then the current iptables ruleset will be saved with iptables-save when iptables-persistent is stopped (or restarted)

MODULES (default: “”) – a space-separated list of the modules that iptables-persistent should load/unload. Useful to activate FTP connection tracking for example.

IPV6 (default: 0) – if set different than 0 it will additionnaly use ip6tables to handle the loading/unloading of the ruleset stored at /etc/iptables/ipv6_rules

ENABLE_ROUTING (default: 0) – if set different than 0 then routing is enabled (in /proc/sys/net/ipv4/ip_forward and /proc/sys/net/ipv6/conf/all/forwarding), otherwise it’s not.

11 thoughts on “iptables-persistent

  1. In Debian Wheezy I got this ‘error’. Is this something to worry about?

    root@hz:/etc/init.d# update-rc.d iptables-persistent defaults

    update-rc.d: using dependency based boot sequencing
    update-rc.d: warning: default start runlevel arguments (2 3 4 5) do not match iptables-persistent Default-Start values (S)
    update-rc.d: warning: default stop runlevel arguments (0 1 6) do not match iptables-persistent Default-Stop values (none)

    • It’s because the LSB headers of the init script don’t match the runlevels corresponding to the defaults argument.
      I will check and change that if necessary.
      Nothing to really worry about in the meantime, giving the defaults argument to update-rc.d overrides the LSB header, while still giving the warning you saw.

      • Thx. I loaded the files unmodified in my router. It brakes the NAT on my working Debian router. eth0 is internet and eth1 is my local network. Anything I should change? I am pretty new to iptables. As far as I understand, the default scripts should work. Or do I miss something?

        • Well yes of course you should change the configuration and adapt it to your need.

          Did you enable routing in /etc/default/iptables-persistent.conf (parameter ENABLE_ROUTING) ? By default it is disabled.

          I wont give support about iptables rules as there is plenty of documentation about it available online.

          Besides, my only advice (which was in written bold in the “Installation” section above) is to actually review and edit the config and the rulesets files to adapt them to your situation. The only thing that shouldn’t need editing is the init.d script in itself.

          • Check also at the end of the ruleset, by default all packets of the FORWARD chain are dropped :

            # Reject forwarded traffic, explicitely (despite chain policy)
            -A FORWARD -j REJECT

            You may want to disable that too.

        • I updated this page to include the missing explanations about the ENABLE_ROUTING parameter in the Configuration section.

          • I understand you won’t give any iptables support. I was under the impression that NAT worked out of the box with this script :) Thx for pointing me in the right direction and the script!

            • You’re right to point that out, I should mention that my default firewall configuration is very restrictive, forbidding forwarding and only allowing DNS ping and SSH inbound.

              I will update the documentation to make it clearer soon :)

  2. In Debian Wheezy I’ve got this error during shutdown:

    service netfilter-persistent stop
    [….] Stopping netfilter rules…Automatic flush disabled; use ‘/usr/sbin/netfilter-persistent flush’
    failed.

    I changed the configuration in /etc/default/netfilter-persistent from FLUSH_ON_STOP=0 to FLUSH_ON_STOP=1.

    Then i’ve found this:

    # Why? because if stop is used, the firewall gets flushed for a variable
    # amount of time during package upgrades, leaving the machine vulnerable
    # It’s also not always desirable to flush during purge
    in /usr/share/netfilter-persistent/plugins.d/15-ip4tables.

    Is this correct? Which is the best approach to avoid error on shutdown?

    Thankyou in advance!

    • Hi,

      I’m sorry but I don’t know what you are speaking about.

      I don’t know netfilter-persistent. This page is about iptables-persistent, which doesn’t include the FLUSH_ON_STOP parameter you are referring to… Thus I am afraid that I can’t really help you with this issue…

      I suspect that you mistook iptables-persistent with netfilter-persistent.

      • Firtst of all, thank you for your response and sorry for the long time elapsed before the replay! Netfilter-persistent is a direct dependency of iptables-persistent; take a look here: https://packages.debian.org/jessie/iptables-persistent

        When I installed iptables-persistent on my debian jessie machine, in /etc/init.d/ i found only a netfilter-persistent script and not an iptables-persistent script.

        Maybe I’ve asked on the wrong place.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>