How to start/stop iptables on Ubuntu?

Question

How can I start/stop the iptables service on Ubuntu?

I have tried

 service iptables stop

but it is giving "unrecognized service".

Why is it doing so? Is there any other method?

Answer 1

I don't know about "Ubuntu", but in Linux generally, "iptables" isn't a service - it's a command to manipulate the netfilter kernel firewall. You can "disable" (or stop) the firewall by setting the default policies on all standard chains to "ACCEPT", and flushing the rules.

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F

(You may need to flush other tables, too, such as "nat", if you've used them)

The following article on the Ubuntu website describes setting up iptables for use with NetworkManager: https://help.ubuntu.com/community/IptablesHowTo

Answer 2

You are all wrong :-)

The command you are looking for is:

$ sudo ufw disable

Answer 3

I would first check if it is installed with (it probably is):

dpkg -l | grep iptables

On Ubuntu, iptables is not a service. In order to stop it, you have to do the following :

sudo iptables-save > /root/firewall.rules
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

In order to restore your previous rules :

iptables-restore < /root/firewall.rules

This was taken from http://www.cyberciti.biz/faq/turn-on-turn-off-firewall-in-linux/ and was tested on many Ubuntu 8.X & 9.10 installations.

Answer 4

Iptables is a command it's not a service, so generally it's not possible to use commands like

service iptables start

or

service iptables stop

in order to start and stop the firewall, but some distros like centos have installed a service called iptables to start and stop the firewall and a configuration file to configure it. Anyway it's possible to make a service to manage ipotables editing or installing a script for this scope. All services in linux, ubuntu is not an exception, are executable scripts inside /etc/init.d folder, that implements a standard interface (start,stop,restart) A possible script looks like this:

 #!/bin/sh -e
 ### BEGIN INIT INFO
 # Provides:          iptables
 # Required-Start:    mountvirtfs ifupdown $local_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 ### END INIT INFO

 # July 9, 2007
 # James B. Crocker <ubuntu@james.crocker.name>
 # Creative Commons Attribution - Share Alike 3.0 License (BY,SA)
 # Script to load/unload/save iptables firewall settings.

 PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"

 IPTABLES=/sbin/iptables
 IPTABLES_SAVE=/sbin/iptables-save
 IPTABLES_RESTORE=/sbin/iptables-restore

 IPTABLES_CONFIG=/etc/iptables.conf

 [ -x $IPTABLES ] || exit 0

 . /lib/lsb/init-functions


 case "$1" in
 start)
    log_action_begin_msg "Starting firewall"
         type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 120" || true
    if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then
        log_action_end_msg $?
    else
        log_action_end_msg $?
    fi
         type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 15" || true
    ;;

 stop)
    log_action_begin_msg "Saving current firewall configuration"
    if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then
        log_action_end_msg $?
    else
        log_action_end_msg $?
    fi
    log_action_begin_msg "Flushing ALL firewall rules from chains!"
    if $IPTABLES -F ; then
        log_action_end_msg $?
    else
        log_action_end_msg $?
    fi
    log_action_begin_msg "Deleting ALL firewall chains [Warning: ACCEPTING ALL PORT SERVICES!]"
    if $IPTABLES -X ; then
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        log_action_end_msg $?
    else
        log_action_end_msg $?
    fi
    ;;

 save)
    log_action_begin_msg "Saving current firewall configuration"
    if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then
        log_action_end_msg $?
    else
        log_action_end_msg $?
    fi
    ;;

 force-reload|restart)
    log_action_begin_msg "Reloading firewall configuration [Warning: POTENTIAL NETWORK INSECURITY DURING RELOAD]"
    $IPTABLES -F
    $IPTABLES -X
    if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then
        log_action_end_msg $?
    else
        log_action_end_msg $?
    fi
    ;;

 *)
    echo "Usage: /etc/init.d/iptables {start|stop|save|restart|force-reload}"
    exit 1
    ;;
 esac

 exit 0 

This script is part of this tutorial, all the commands to configure the firewall must be inserted, according to the script above, into /etc/iptables.conf file. This script must be inserted into a file called iptables in /etc/init.d and make it executable using

chmod+x *iptables* 

and add the service to runlevels using

update-rc.d iptables defaults

You can add new rules from shell, these rules will be immediatly active and will be added to /etc/iptables.conf when service stops(it means them will be saved for sure when system shutdown).

I hope this will be helpful to everyone.

Answer 5

Because both iptables and ufw are ways to manage the netfilter firewall in Linux, and because both are available by default in Ubuntu, you can use either to start and stop (and manage) firewall rules.

iptables is more flexible, but because ufw provides a very simple interface language for simple and typical function you can use:

sudo ufw disable # To disable the firewall

sudo ufw enable # To enable the firewall

To see current firewall settings use sudo ufw status verbose, or iptables -L .

The Ubuntu Community docs pages on iptables and UFW have a great deal more info.

Answer 6

Looks like there several ways to manage firewall in Ubuntu, so you may be interested in reading this: https://help.ubuntu.com/community/IptablesHowTo#Configuration%20on%20startup

To drop all current rules you can use these commands (put them in some script):

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -F
iptables -t filter -X

In usual case, your default firewall rules saved in some file (for example, /etc/iptables.rules). While booting system command iptables-restore </etc/iptables.rules executed to load firewall rules. So, executing same command after you dropped all rules using above commands will result in "reloading firewall" which you asked for.

Answer 7

If I recall correctly the suggested way to set up iptables in the ubuntu guides is to set it up as part of the networking scripts. which means there is no /etc/init.d/iptables script like there is in BSD style OS's.

Answer 8

Create a file on /etc/init.d/

touch fw.rc

Make the file executable chmod +x

Make a symlink to that file on /etc/rc2.d/

ln -s /etc/init.d/fw.rc S80firewall

Edit S80firewall and add the following

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F

You can add all your custom iptables rules on this file

Now you can restart firewall (iptables) by running /etc/rc2.d/S80firewall (must be root)

Answer 9

I had the same issue. In fact, there was no iptables-persistent in /etc/init.d

So, I created the iptables-persistent file in /etc/init.d

nano /etc/init.d/iptables-persistent

and wrote the following inside:

#!/bin/sh
#       Written by Simon Richter <sjr@debian.org>
#       modified by Jonathan Wiltshire <jmw@debian.org>
#       with help from Christoph Anton Mitterer
#

### BEGIN INIT INFO
# Provides:          iptables-persistent
# Required-Start:    mountkernfs $local_fs
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# X-Start-Before:    $network
# X-Stop-After:      $network
# Short-Description: Set up iptables rules
# Description:       Loads/saves current iptables rules from/to /etc/iptables
#  to provide a persistent rule set during boot time
### END INIT INFO

. /lib/lsb/init-functions

rc=0

load_rules()
{
    log_action_begin_msg "Loading iptables rules"

    #load IPv4 rules
    if [ ! -f /etc/iptables/rules.v4 ]; then
        log_action_cont_msg " skipping IPv4 (no rules to load)"
    else
        log_action_cont_msg " IPv4"
        iptables-restore < /etc/iptables/rules.v4 2> /dev/null
        if [ $? -ne 0 ]; then
            rc=1
        fi
    fi

    #load IPv6 rules    
    if [ ! -f /etc/iptables/rules.v6 ]; then
        log_action_cont_msg " skipping IPv6 (no rules to load)"
    else
        log_action_cont_msg " IPv6"
        ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
        if [ $? -ne 0 ]; then
            rc=1
        fi
    fi

    log_action_end_msg $rc
}

save_rules()
{
    log_action_begin_msg "Saving rules"

    #save IPv4 rules
    #need at least iptable_filter loaded:
    /sbin/modprobe -q iptable_filter
    if [ ! -f /proc/net/ip_tables_names ]; then
        log_action_cont_msg " skipping IPv4 (no modules loaded)"
    elif [ -x /sbin/iptables-save ]; then
        log_action_cont_msg " IPv4"
        iptables-save > /etc/iptables/rules.v4
        if [ $? -ne 0 ]; then
            rc=1
        fi
    fi

    #save IPv6 rules
    #need at least ip6table_filter loaded:
    /sbin/modprobe -q ip6table_filter
    if [ ! -f /proc/net/ip6_tables_names ]; then
        log_action_cont_msg " skipping IPv6 (no modules loaded)"
    elif [ -x /sbin/ip6tables-save ]; then
        log_action_cont_msg " IPv6"
        ip6tables-save > /etc/iptables/rules.v6
        if [ $? -ne 0 ]; then
            rc=1
        fi
    fi

    log_action_end_msg $rc
}

flush_rules()
{
    log_action_begin_msg "Flushing rules"

    if [ ! -f /proc/net/ip_tables_names ]; then
        log_action_cont_msg " skipping IPv4 (no module loaded)"
    elif [ -x /sbin/iptables ]; then
        log_action_cont_msg " IPv4"
        for param in F Z X; do /sbin/iptables -$param; done
        for table in $(cat /proc/net/ip_tables_names)
        do
            /sbin/iptables -t $table -F
            /sbin/iptables -t $table -Z
            /sbin/iptables -t $table -X
        done
        for chain in INPUT FORWARD OUTPUT
        do
            /sbin/iptables -P $chain ACCEPT
        done
    fi

    if [ ! -f /proc/net/ip6_tables_names ]; then
        log_action_cont_msg " skipping IPv6 (no module loaded)"
    elif [ -x /sbin/ip6tables ]; then
        log_action_cont_msg " IPv6"
        for param in F Z X; do /sbin/ip6tables -$param; done
        for table in $(cat /proc/net/ip6_tables_names)
        do
            /sbin/ip6tables -t $table -F
            /sbin/ip6tables -t $table -Z
            /sbin/ip6tables -t $table -X
        done
        for chain in INPUT FORWARD OUTPUT
        do
            /sbin/ip6tables -P $chain ACCEPT
        done
    fi

    log_action_end_msg 0
}

case "$1" in
start|restart|reload|force-reload)
    load_rules
    ;;
save)
    save_rules
    ;;
stop)
    # Why? because if stop is used, the firewall gets flushed for a variable
    # amount of time during package upgrades, leaving the machine vulnerable
    # It's also not always desirable to flush during purge
    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
    ;;
flush)
    flush_rules
    ;;
*)
    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
    exit 1
    ;;
esac

exit $rc

and then gave chmod 755 permission.

chmod 755 /etc/init.d/iptables-persistent

Now it works perfectly! Hope it can help someone.

Answer 10

If you're running Ubuntu server as a VM guest (e.g. in VirtualBox) then libvirt may be enabled. If so libvirt contains some in-built network filters which utilise iptables. These filters may be configured as described in the firewall section on nwfilters.

To disable the iptables rules you'll either need to remove all offending rules from libvirt, or you can just disable libvirt if you're not using it - e.g. install a manual override config (then reboot):

sudo bash -c 'echo "manual" > /etc/init/libvirt-bin.override'

Answer 11

There is none by default, but in recent debian derivatives (including Ubuntu) you can install a service to manage iptables:

sudo apt install iptables-persistent

You can then load previously saved rules:

systemctl start netfilter-persistent

Review what happened:

systemctl status netfilter-persistent

netfilter-persistent.service - netfilter persistent configuration

       Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
       Active: active (exited) since Sun 2019-03-24 10:49:50 IST; 16min ago
     Main PID: 1674 (code=exited, status=0/SUCCESS)
        Tasks: 0
       Memory: 0B
          CPU: 0
       CGroup: /system.slice/netfilter-persistent.service

Mar 24 10:49:50 ubuntu systemd[1]: Starting netfilter persistent configuration...
Mar 24 10:49:50 ubuntu netfilter-persistent[1674]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Mar 24 10:49:50 ubuntu netfilter-persistent[1674]: Warning: skipping IPv4 (no rules to load)
Mar 24 10:49:50 ubuntu netfilter-persistent[1674]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Mar 24 10:49:50 ubuntu netfilter-persistent[1674]: Warning: skipping IPv6 (no rules to load)
Mar 24 10:49:50 ubuntu systemd[1]: Started netfilter persistent configuration.
Mar 24 11:02:49 ubuntu systemd[1]: Started netfilter persistent configuration.

Or stop the service:

systemctl stop netfilter-persistent

Stopping the service will, by default, not flush iptables (i.e. will not disable the firewall, see man netfilter-persistent).

Answer 12

You're using the command that's appropriate for RedHat and CentOS, not Ubuntu or Debian.

http://www.cyberciti.biz/faq/ubuntu-server-disable-firewall/