Comments on: Standard Process for Restoring IPtables at Boot?

By: Tig

Tig — Sun, 08 Mar 2009 12:20:20 +0000

Got to love Google and the Debian community. Thank you for helping me to decide which way is best for this very task.

I use Firewall Builder to create my rules (God I love that program) and save the rules into defaults as per the way you advise. However, I’m with Adam on using a script in if-up.d to restore, it just makes more sense to me personally.

Great advice from all, however.

/Tig

By: MTecknology

MTecknology — Wed, 04 Mar 2009 18:03:43 +0000

I do the rc.local as well.

By: budiw

budiw — Tue, 03 Mar 2009 09:06:23 +0000

I’m using /etc/rc.local. The script of iptables I save in some file, and then loaded in rc.local

–budiw

By: James Nachbar

James Nachbar — Sun, 01 Mar 2009 21:45:20 +0000

With the new Upstart init system, I just create a new file, /etc/event.d/iptables :

# Script to start firewall
# Save rules with iptables-save > /etc/default/iptables

start on runlevel 1
start on runlevel 2
start on runlevel 3
start on runlevel 4
start on runlevel 5

exec /sbin/iptables-restore < /etc/default/iptables

That way, you aren’t changing any existing files, just adding the new one. On every reboot, the iptables rules get loaded. You can check that they are loaded with:

sudo /sbin/iptables-save | less

By: zonky

zonky — Sun, 01 Mar 2009 19:15:38 +0000

It’s worth remembering with the proliferation of Xen based Virtual Hosting, that /etc/network/interfaces seems to be commonly replaced at bootup.

You’re probably safer to stick this in
/etc/network/if-up.d

By: Tim.

Tim. — Sun, 01 Mar 2009 15:45:13 +0000

I just use something like shorewall… way easier to maintain in the long run.

By: agentk

agentk — Sat, 28 Feb 2009 21:52:43 +0000

I actually liked the Redhat init script that much that I just copied to my Ubuntu install and made come changes from there.
It just saves the tables to /etc/iptables/config now.

By: Anthony

Anthony — Sat, 28 Feb 2009 21:28:43 +0000

I’m using ufw on my boxes and it seems to take care of that on it’s own, storing the rules in /var/lib/ufw/user.rules. However your solution seems fairly solid to me.

By: Matt Mossholder

Matt Mossholder — Sat, 28 Feb 2009 19:03:38 +0000

The only gotcha I can think of with doing it in /etc/network/interfaces is that you are tying the ruleset to a specific interface. If that interface doesn’t come up for some reason, the iptables rules don’t get loaded.

It is too bad that iptables-save doesn’t have options to save the rules by interface, such that we could save global rules, and load them when lo starts, and interface specific rules that could be loaded with each interface.

As things stand, I would probably have the pre-up bound to lo, rather than eth0.

By: Adam

Adam — Sat, 28 Feb 2009 18:47:58 +0000

I use a short script in /etc/network/if-up.d which contains other scripts such as reloading OpenSSH so it can bind to the new address, running ntpdate, etc.

$ cat /etc/network/if-up.d/iptables
iptables-restore < /etc/iptables.up.rules