3

i have tried many similar question like below, in my case i used VM with Debian OS in virtual box:

  1. How to start/stop iptables on Ubuntu?
  2. https://unix.stackexchange.com/questions/52376/why-do-iptables-rules-disappear-when-restarting-my-debian-system
  3. https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules
  4. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04

I have tried to flush the iptables rules with these command.

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Follows with these command

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X

When i reboot the VM, I still got the same rules. I tried to use iptables-save, and i always got this rules. 

# Generated by iptables-save v1.4.21 on Wed Mar 28 03:44:14 2018
*nat
:PREROUTING ACCEPT [127:23299]
:INPUT ACCEPT [14:1996]
:OUTPUT ACCEPT [32:1947]
:POSTROUTING ACCEPT [32:1947]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Wed Mar 28 03:44:14 2018
# Generated by iptables-save v1.4.21 on Wed Mar 28 03:44:14 2018
*mangle
:PREROUTING ACCEPT [4925:1051078]
:INPUT ACCEPT [4925:1051078]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4791:1080206]
:POSTROUTING ACCEPT [4791:1080206]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Wed Mar 28 03:44:14 2018
# Generated by iptables-save v1.4.21 on Wed Mar 28 03:44:14 2018
*security
:INPUT ACCEPT [4826:1030935]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4814:1084121]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Wed Mar 28 03:44:14 2018
# Generated by iptables-save v1.4.21 on Wed Mar 28 03:44:14 2018
*raw
:PREROUTING ACCEPT [4949:1054264]
:OUTPUT ACCEPT [4815:1084545]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Wed Mar 28 03:44:14 2018
# Generated by iptables-save v1.4.21 on Wed Mar 28 03:44:14 2018
*filter
:INPUT ACCEPT [2653:591941]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2649:609004]
COMMIT
# Completed on Wed Mar 28 03:44:14 2018

What i want is like the rules below. I have set my rules.v4 to these command:

# Generated by iptables-save v1.4.21 on Tue Mar 27 02:48:59 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 27 02:48:59 2018

But whenever i reboot the system, i always got the previous rules...

What could go wrong with my configuration ? Am i missed something

I have tried to unistall iptables-persistent and reinstall again, but i still got the same rules...

Gagantous
  • 89
  • 1
  • 2
  • 10

6 Answers6

3

What is in your rules.v4 is what is going to be used when the system boots. You can save your running conf iptables-save > rules.v4 and then it will persist post reboot if you are running iptables-persistent

It is because iptables-save only prints your configuration to STDOUT, but you want to store your configuration in the rules.v4 file.

JonathanDavidArndt
  • 1,414
  • 3
  • 20
  • 29
Petter H
  • 3,383
  • 1
  • 14
  • 18
  • okay i have did, the`iptables-save > rules.v4` command so what's next ? – Gagantous Mar 28 '18 at 08:33
  • i couldnt run `iptables-persistent` – Gagantous Mar 28 '18 at 08:34
  • you enable the service `systemctl enable iptables-persistent` but I think it does that by default so there should be no more steps involved. – Petter H Mar 28 '18 at 08:40
  • it says, no such file or directory... – Gagantous Mar 28 '18 at 08:43
  • 1
    https://wiki.debian.org/iptables – Petter H Mar 28 '18 at 08:53
  • okay looks like i have to set both my `iptables-save > rules.v4` and my `ip6tables-save > rules.v6` – Gagantous Mar 28 '18 at 09:48
  • First i deleted my `rules.v4` and `rules.v6` and make the new one f\based my opwn rules. and than i set the `iptables-save > rules.v4` and for the ip6 i set `ip6tables-save > rules.v6`, and than i reboot the system, and the rules seems works now, but before i do all of that, i flush and delete the rules to the default setting. – Gagantous Mar 28 '18 at 09:51
2

To save the current rules to a file, use iptables-save. For example:

iptables-save > /etc/sysconfig/iptables

To load the saved rules from that file, use iptables-restore. For example:

iptables-restore < /etc/sysconfig/iptables
Sukhjinder Singh
  • 1,944
  • 2
  • 8
  • 17
2

What I do is usually to put a firewall script into my /root folder which includes all iptables commands. At the end I add

iptables-save > /etc/iptables.conf
ip6tables-save > /etc/ip6tables.conf

Then save, chmod + x the script and run it.

Then in my /etc/network/interfaces I add

pre-up iptables-restore < /etc/iptables.conf
pre-up ip6tables-restore < /etc/ip6tables.conf

to the iface lo section.

This also allows me to copy firewall settings between servers since I usually use a policy drop and only open needed ports.

Also, a big security concern:

sudo iptables -P INPUT ACCEPT

This command sets the POLICY to accept. This means every port on your machine is set to be open. Always use policy drop and only open needed ports.

Broco
  • 1,919
  • 12
  • 21
1

iptables does not save your configuration per default nor does it restore the rules after a reboot.

Consider using Shorewall which is a wrapper for iptables that makes the overall configuration and maintenance easier. Shorewall also has the functionality to save your rules and restore them after reboot.

iptables save

sudo iptables-save > /etc/iptables.rules

iptables restore

You want to restore the rules of iptables before you bring up your interface, else attackers will have a small window where your network is undefended.

You might also want to make a series of rules for when your interface is going down.

Example

auto eth0
iface eth0 inet dhcp
  pre-up iptables-restore < /etc/iptables.rules
  post-down iptables-restore < /etc/iptables.downrules

https://help.ubuntu.com/community/IptablesHowTo

Cristian Matthias Ambæk
  • 257
  • 1
  • 13
  • 1
    there is no such `iptables.rules` files... – Gagantous Mar 28 '18 at 09:27
  • 1
    When you issue the iptables save command as shown, it will create the /etc/iptables.rules file. You cannot restore what you have not saved. – Cristian Matthias Ambæk Mar 28 '18 at 10:09
  • This is pretty dangerous, because you bind your firewall settings to a physical interface "eth0". This means that the iptables aren't restored if you don't bring up eth0 and interface names can change (especially with the new naming convention). Also in multi nic-setups this is can be a problem. Better bind it to interface lo. – Broco Mar 28 '18 at 11:42
  • @Broco this is the example taking from the ubuntu help page. If you have a single FW interface it makes alot of sense to bind it to the interface you use, if you have multiple interfaces and you arent into iptables i would again advice shorewall which is a wrapper for iptables. And if you bind it to the loopback interface you again need to make sure that lo is brought up before ethX i am not exactly sure what order the OS does this. – Cristian Matthias Ambæk Mar 28 '18 at 13:12
1

Have you try the UFW (Uncomplicated Firewall)?! https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29

Its a frontend program for cmd that uses IPTables (also you have gufw if needed) making the live alot easy to use the iptables

Camadas
  • 111
  • 2
-1

You have to install package iptables-persistent (apt-get install iptables-persistent) and save your rules in /etc/iptables/rules.v4 for ipv4 and /etc/iptables/rules.v6 for ipv6 (if any). Check out https://unix.stackexchange.com/questions/125833/why-isnt-the-iptables-persistent-service-saving-my-changes foe details

Daniel
  • 302
  • 1
  • 5