Description
iptables-persistent is an ‘init.d’ script (aimed at Debian) to make iptables rules persistent over reboots.
This fork is modified to handle fail2ban’s rules reloading and to be compatible with ip6tables for IPv6-enabled servers. Included is an homemade multipurpose config.
UPDATE 2018-05-27: This is not maintained anymore and may or may not work with current Debian setups. Use at your own risk.
UPDATE 2014-09-20: The iptables-persistent package in Debian beginning from the jessie (8) release and later has significantly changed compared to the previous version, and has somehow been renamed to netfilter-persistent. This script is not related to netfilter-persistent at all.
Note: If you have installed iptables-persistent via your package manager (apt), then this page is not for you. I have no link with the version packaged in Debian.
Project page
https://github.com/zertrin/iptables-persistent
Feedback and merge requests welcomed !
README
This is a fork based on Debian’s iptables-persistent package that loads iptables rules using rules specified at /etc/iptables/rules
This fork is modified to properly handle fail2ban’s rules reloading when starting/stopping/reloading iptables’s rules via iptables-persistent (fail2ban inserts its own rules at the beginning of iptables current ruleset when (re)started). If fail2ban is not installed, iptables-persistent will ignore any action related to file2ban.
For IPv6 enabled servers, ip6tables rules management is properly handled too, by activating the corresponding parameter in the configuration file (see below).
Provided is an example set of rules as quickstart. You should review it and adapt it to your needs.
Installation
To use:
- copy the init.d script
iptables-persistent
to/etc/init.d/
and make it executable - copy
iptables-persistent.conf
to/etc/default/iptables-persistent.conf
and edit it to suit your needs - copy
rules
to/etc/iptables/rules
and edit it to suit your needs - copy
ipv6_rules
to/etc/iptables/ipv6_rules
and edit it to suit your needs (you can copy this file even if you don’t activate IPv6 support in the configuration, it will be ignored) - make iptables-persistent to be lauched at startup
update-rc.d iptables-persistent defaults
Configuration variables
Edit /etc/default/iptables-persistent.conf
to set the following parameters:
SAVE_NEW_RULES (default: 0) – if set different than 0 then the current iptables ruleset will be saved with iptables-save when iptables-persistent is stopped (or restarted)
MODULES (default: “”) – a space-separated list of the modules that iptables-persistent should load/unload. Useful to activate FTP connection tracking for example.
IPV6 (default: 0) – if set different than 0 it will additionnaly use ip6tables to handle the loading/unloading of the ruleset stored at /etc/iptables/ipv6_rules
ENABLE_ROUTING (default: 0) – if set different than 0 then routing is enabled (in /proc/sys/net/ipv4/ip_forward
and /proc/sys/net/ipv6/conf/all/forwarding
), otherwise it’s not.
In Debian Wheezy I got this ‘error’. Is this something to worry about?
root@hz:/etc/init.d# update-rc.d iptables-persistent defaults
update-rc.d: using dependency based boot sequencing
update-rc.d: warning: default start runlevel arguments (2 3 4 5) do not match iptables-persistent Default-Start values (S)
update-rc.d: warning: default stop runlevel arguments (0 1 6) do not match iptables-persistent Default-Stop values (none)
It’s because the LSB headers of the init script don’t match the runlevels corresponding to the
defaults
argument.I will check and change that if necessary.
Nothing to really worry about in the meantime, giving the
defaults
argument toupdate-rc.d
overrides the LSB header, while still giving the warning you saw.Thx. I loaded the files unmodified in my router. It brakes the NAT on my working Debian router. eth0 is internet and eth1 is my local network. Anything I should change? I am pretty new to iptables. As far as I understand, the default scripts should work. Or do I miss something?
Well yes of course you should change the configuration and adapt it to your need.
Did you enable routing in
/etc/default/iptables-persistent.conf
(parameterENABLE_ROUTING
) ? By default it is disabled.I wont give support about iptables rules as there is plenty of documentation about it available online.
Besides, my only advice (which was in written bold in the “Installation” section above) is to actually review and edit the config and the rulesets files to adapt them to your situation. The only thing that shouldn’t need editing is the init.d script in itself.
Check also at the end of the ruleset, by default all packets of the FORWARD chain are dropped :
# Reject forwarded traffic, explicitely (despite chain policy)
-A FORWARD -j REJECT
You may want to disable that too.
I updated this page to include the missing explanations about the ENABLE_ROUTING parameter in the Configuration section.
I understand you won’t give any iptables support. I was under the impression that NAT worked out of the box with this script :) Thx for pointing me in the right direction and the script!
You’re right to point that out, I should mention that my default firewall configuration is very restrictive, forbidding forwarding and only allowing DNS ping and SSH inbound.
I will update the documentation to make it clearer soon :)
In Debian Wheezy I’ve got this error during shutdown:
service netfilter-persistent stop
[….] Stopping netfilter rules…Automatic flush disabled; use ‘/usr/sbin/netfilter-persistent flush’
failed.
I changed the configuration in /etc/default/netfilter-persistent from FLUSH_ON_STOP=0 to FLUSH_ON_STOP=1.
Then i’ve found this:
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It’s also not always desirable to flush during purge
in /usr/share/netfilter-persistent/plugins.d/15-ip4tables.
Is this correct? Which is the best approach to avoid error on shutdown?
Thankyou in advance!
Hi,
I’m sorry but I don’t know what you are speaking about.
I don’t know netfilter-persistent. This page is about iptables-persistent, which doesn’t include the FLUSH_ON_STOP parameter you are referring to… Thus I am afraid that I can’t really help you with this issue…
I suspect that you mistook iptables-persistent with netfilter-persistent.
Firtst of all, thank you for your response and sorry for the long time elapsed before the replay! Netfilter-persistent is a direct dependency of iptables-persistent; take a look here: https://packages.debian.org/jessie/iptables-persistent
When I installed iptables-persistent on my debian jessie machine, in /etc/init.d/ i found only a netfilter-persistent script and not an iptables-persistent script.
Maybe I’ve asked on the wrong place.