Persistent Iptables Rules in Ubuntu 16.04 Xenial Xerus
Firewall, Iptables, Linux, Security, Server, Sysadmin
The process of persisting firewall rules in Ubuntu 16.04 is different to the procedure for 14.04.
The Firewall setup is broadly the same as for 14.04 as described here.
This article briefly describes how to import a set of rules for IPtables and make these rules persist across reboots.
Export Rules
If you’re exporting a ruleset from an existing Ubuntu 14.04 server, log in to this machine. Assuming that the iptables-persistent
package is installed, run the following commands:
Copy these ruleset files across to a temporary location on your Ubuntu 16.04 server.
Install iptables-persistent
Import Rules
Save Rules
To save the imported rules, run the iptables-persistent dpkg-reconfigure script:
NOTE: The commands sudo netfilter-persistent save
and sudo netfilter-persistent reload
should work, but we’ve had problems with these commands and resorted to the dpkg-reconfigure option. It may be that a restart of the service is necessary after running these commands.
The dpkg-reconfigure
causes iptables-persistent
to repeat the install procedure - it will prompt for you to save the current rules. The current iptables rules will be saved into a file by means of iptables-save >/etc/iptables/rules.v4
and ip6tables-save >/etc/iptables/rules.v6
. You should see your rules in /etc/iptables/rules.v4
and /etc/iptables/rules.v6
.
The iptables-persistent
package causes the following to run on reboot:
Persistent Rules and Fail2Ban
If you save iptables rules for restoration on reboot, and they contain rules added by Fail2Ban, Fail2Ban will duplicate the rules on boot. After a few reboots, the iptables can potentially get very messy.
To avoid this, stop the fail2ban service before saving the reconfiguration, and manually edit the saved rules to remove references to Fail2Ban. Rebooting should result in the correct rules being added, as Fail2Ban adds it’s own:
Resources
comments powered by Disqus