To persist iptable rules installs iptables-persistent module.
sudo apt-get install iptables-persistent
Now you make changes to iptables & run following command to persist them:
sudo netfilter-persistent save
sudo netfilter-persistent reload
To view saved rules check in directory /etc/iptables/
By default Ubuntu/Debian OS wont load iptable on boot.
So to load iptables on boot use follow procedure:
Save iptable conf with iptables-save command:
iptables-save > /etc/iptables.conf
Next, open file with name /etc/network/if-up.d/iptables and add following content:
#!/bin/sh iptables-restore < /etc/iptables.conf
Change permission file /etc/network/if-up.d/iptables as executable with following command:
chmod +x /etc/network/if-up.d/iptables
Now, iptables will restored on boot.
Whenever you change iptable rules don’t forgot to update iptables.conf file. Use following command to update iptables.conf file:
iptables-save > /etc/iptables.conf
To allow only an ip to access a port use following iptables rule
iptables -I INPUT -p tcp -m tcp -s 192.168.2.20 --dport 8080 -j ACCEPT
Above iptables rule will allow only 192.168.2.20 to access port 8080 and reject all other ip addresses.
Similarly we can give any other ip address and port combination.
To allow one trusted IP address to access all incoming packets add following line in iptables-precursor:
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
where 192.168.2.2 is the IP address I would like to allow, change the IP address as per your requirement.
After adding above line run following commands to get it updated:
$ source iptables-precursor $ iptables-save > iptables
In above commands I used relative pats for iptables-precursor and iptables.
There is no iptables service avilable in Ubuntu like service iptables start and service iptables stop. Because of this we can’t start iptables boot.
There is small hack to start iptables on boot in Ubuntu/Debian. I will be explaining it here.
First write all you iptables rules in your Ubuntu machine.
Then save you need to save iptables rules in a text file with iptables-save command.
$ sudo iptables-save > iptables_rules
Copy or move iptables_rules file in to some directory (H ere I am using /etc/sysconfig/).
Now open /etc/network/interfaces to edit and add following line below iface lo inet loopback, then save and exit.
pre-up iptables-restore /etc/sysconfig/iptables_rules
Now reboot and test for iptables rules.
To test run sudo iptables -L command, and you should see the rules you added.
-Sany
To remove/flush all iptables rules in your Ubuntu server/desktop you need to write small script with following content.
Open a file with name iptables_stop.sh, and add below content to it
#!/bin/sh echo "Stopping firewall and allowing everyone..." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
Then run sh iptables_stop.sh from your command line.
To conform the change run iptables -L and output appear like below without any rules.
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-Sany
Sany's Linux and Open Source Blog 