How to make iptables configuration persistent

Make iptables configuration persistent using essential system utilities or a designated boot-time loader.

Use essential system utilities

This simple solution is most suitable for a system with a single network interface.

Edit /etc/network/interfaces global configuration file or a specific interface configuration in /etc/network/interfaces.d/ directory to define pre-up and post-up options to save or load iptables configuration using /etc/firewall.rules file.

allow-hotplug eth0
iface eth0 inet static
  address 192.168.0.5
  netmask 255.255.255.0
  gateway 192.168.0.254
  pre-down iptables-save > /etc/firewall.rules
  post-up  iptables-restore < /etc/firewall.rules

Firewall configuration will be saved before taking the interface down and restored after bringing the interface up.

Use boot-time loader for firewall rules

Install the iptables-persistent package.

$ sudo apt-get install iptables-persistent

Store IPv4 iptables configuration during the installation process.

Store IPv6 iptables configuration during the installation process.

Use dpkg-reconfigure when you need to execute this step later.

$ sudo dpkg-reconfigure iptables-persistent

Ensure that the netfilter-persistent will be enabled at boot.

$ sudo systemctl enable netfilter-persistent

Change FLUSH_ON_STOP variable in /etc/default/netfilter-persistent default configuration file to flush firewall rules when service is stopped. It is not necessary to perform this step if you want the default behavior.

$ cat /etc/default/netfilter-persistent 
# Configuration for netfilter-persistent
# Plugins may extend this file or have their own

FLUSH_ON_STOP=0

IPv4 firewall rules are not saved automatically on system shutdown. Use the following command to update these.

$ iptables-save > /etc/iptables/rules.v4

IPv6 firewall rules are not saved automatically on system shutdown. Use the following command to update these.

$ ip6tables-save > /etc/iptables/rules.v6

Additional notes

Import iptables-persistent package configuration before package installation to automate the whole process.

$ cat << EOF | sudo debconf-copydb pipe configdb --config=Name:pipe --config=Driver:Pipe  
Name: iptables-persistent/autosave_v4
Template: iptables-persistent/autosave_v4
Value: true
Owners: iptables-persistent
Flags: seen

Name: iptables-persistent/autosave_v6
Template: iptables-persistent/autosave_v6
Value: true
Owners: iptables-persistent
Flags: seen
EOF

Export iptables-persistent package configuration using the following command.

$ sudo debconf-copydb configdb stdout    \
    --config=Name:stdout                 \
    --config=Driver:Pipe                 \
    --config=InFd:none                   \
    --pattern='^iptables-persistent/'

Read how to copy answers to the configuration questions for Debian packages for more detailed information.

Use essential system utilities#

Use boot-time loader for firewall rules#

Additional notes#

Use essential system utilities

Use boot-time loader for firewall rules

Additional notes