≡ Menu

How Do I Save Iptables Rules or Settings?

I am using GUI tool to setup firewall rules for my home computer connected to ADSL (DSL/Cable) network. However, after reboot my rules are not saved. Is there any way I can save and load all firewall rules again?

You need to use the iptables-save command, which is used to dump the contents of an IP Table in easily parseable format to screen. Using I/O-redirection provided by your shell you can save iptables firewall rules to a file.

To restore iptables rules use the iptables-restore command. It is used to restore an IP Tables from data specified from file. Use I/O redirection provided by your shell to read from a file.

Examples: Saving and Restoring Iptables Rules

In this example, save current iptables firewall rules to a file called /root/dsl.fw, enter:
# iptables-save > /root/dsl.fw
To restore iptables rules, enter:
# iptables-restore < /root/dsl.fw

To restore rules automatically upon Linux system reboot add following command to your /etc/rc.local file, enter:
# vi /etc/rc.local
Append the line:
/sbin/iptables-restore < /root/dsl.fw
Save and close the file. Please note that under Red Hat enterprise Linux (RHEL) / CentOS / Fedora Linux you can use following commands to save and restore firewall rules. To Save the rules to /etc/sysconfig/iptables file:
# /etc/init.d/iptables save
To restore the rules from /etc/sysconfig/iptables file:
# /etc/init.d/iptables start
If you are using Debian / Ubuntu Linux open /etc/network/interfaces:
# vi /etc/network/interfaces
Append the line to eth0 section:
post-up iptables-restore
Close and save the file. Reboot the system.

See also:

Share this tutorial on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 16 comments… add one }
  • Simon Rostron March 6, 2008, 6:42 am

    Thank you! This helped me out a lot.

    • S. P. June 30, 2010, 1:10 pm

      Does not work on Ubuntu 8.04

  • Joe November 14, 2008, 12:47 am

    On Redhat/Fedora, you can do

    service iptables save

    And it will write a file in /etc/sysconfig that will be read on startup if the iptables service is enabled in the current runlevel.

  • Hitesh March 23, 2009, 11:38 am

    Gr8 Man Thanks a lot…..

  • Kirk Steuber June 25, 2009, 5:52 pm

    This solution works well assuming one of two things:
    Either:
    1) You are only using rules that are compatible with the GUI firewall editor (system-config-securitylevel)
    or
    2) You are not using system-config-securitylevel

    system-config-securitylevel rewrites iptables without any lines it does not like (in my case, for example the rule “-I ‘RH-Firewall-1-INPUT’ 1 -s x.x.x.x -j ACCEPT” where x.x.x.x is an ip address) – system-config-securitylevel does not support filtering by source or destination computer (for some reason)

    The workaround I found for this is to:
    1) create a file called /etc/sysconfig/iptables-custom
    2) add the rule to the file. If you need a template for adding rules, look at your /etc/sysconfig/iptables file to see your existing rules
    3) edit /etc/init.d/iptables
    In the start() function there should be a line that says something like this:
    “$IPTABLES-restore $OPT $IPTABLES_DATA”
    This means to restore the rules from /etc/sysconfig/iptables
    BELOW THIS RULE add a line that says
    “$IPTABLES-restore -n < /etc/sysconfig/iptables-custom"
    The -n option is important. Without it, you would overwrite all other rules and ONLY have the rules in iptables-custom (meaning system-config-securitylevel wouldn't work any more as it would edit an unused file)

    The one thing to keep in mind is that updating/reinstalling iptables will likely rewrite /etc/init.d/iptables, removing the line that adds iptables-custom

  • Debianero April 4, 2011, 12:49 am

    If you are using Debian Linux open /etc/network/interfaces…

    No! in Debian you must save your rules in

    /etc/network/if-pre-up.d/iptables

    this

    #!/bin/bash
    /sbin/iptables-restore < /etc/iptables.up.rules

    That’s, of course, if you’re using bash and have save the rules in this way

    iptables-save > /etc/iptables.up.rules
  • Jack Wade August 31, 2012, 7:43 pm

    Debian/Ubuntu has a package named iptables-persistent that handles iptables-restore/iptables-save based on /etc/iptables/rules

    A lot more elegant compared to making post interface-up scripts or a custom init script, imho.

  • robert November 3, 2012, 4:06 pm

    hei i want to ask, i setting my iptables on mandriva 2011, and also save it using /sbin/service iptables save. the problem is when my laptop restart the rules is gone, can anyone help me?

  • sachin December 6, 2012, 1:01 pm

    see /etc/sysconfig/iptables-config for autosave of rules after firewall or machine restart

  • Anton December 6, 2012, 4:51 pm

    I hv a CentOS system and have this same problem. I have input lot to iptables but when it restart, all my iptables INPUT are gone. I was using command “service iptables save”.

    I am confused .. so which one I should use for the next time?

    # /etc/init.d/iptables save
    or
    # /sbin/service iptables save

    Are those 2 commands same? Which one should I choose so the next time I restart my VPS, my iptables still remain. Please help.

  • Anton December 24, 2012, 5:32 pm

    I want to export iptables rules from machine A to machine B.

    I have dump current iptables rules from machine A with:
    $ iptables-save > iptables.rules

    But, at the bottom of the file there also attached firewall configuration from the machine A. Do I have just change the “Chain acctboth” configuration on machine B?

    Or is there any better way to export iptables rules, I just want to export the INPUT rules.

    Thanks.

    • Gabe September 17, 2014, 7:04 pm

      You could try: iptables-save | grep -e ‘^-A INPUT’ > test.txt

  • callum March 9, 2014, 5:25 am

    Hi there, I tried this guide but it did not keep settings after a reboot. I am using an Asus N56U. Any ideas? Thanks

    • Nix Craft March 9, 2014, 10:34 am

      Asus N56U comes with either default firmware or 3rd party firmware such as DD-WRT. Due to flash module disk size limit these commands may not work on embedded tiny devices. See your firmware documentation for firewall rules.

  • Rob January 27, 2015, 3:36 pm

    Worked on CENTOS 6.6 x86_64 virtuozzo, WHM 11.46.2 (build 4) – thank you!

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , , , , , ,