How to Make iptables Rules Persistent after Reboot on Ubuntu and CentOS System

iptables is a powerful tool to help configure access to various ports on your computer or server. It provides the level of control that makes it possible to configure what network traffic is permitted or denied to the system.

The main quirk about iptables is that, by default, the configurations for iptables will not persist after a reboot. After configuring your system’s iptables rules, there is one more important step thay you must do in order to make sure the rules are still there after a reboot.

In this tutorial, you will see how to make iptables rules persistent after reboot on Ubuntu and CentOS based systems.

Before we start, make sure that you already have some rules configured on your system. In particular, this tutorial assumes that you have configured the rules with iptables. To see a list of rules type

sudo iptables -L

This should display the current state of all the access and block rules you have configured on your system. In a later tutotial we will do a deep dive into how to configure your iptables.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (3 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.16.238.100       tcp dpt:domain
ACCEPT     udp  --  anywhere             172.16.238.100       udp dpt:domain

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Save iptables rules on Ubuntu

In order to make your iptables rules persistent after reboot, install the package called iptables-persistent package using the apt package manager:

Any currently listed iptables rules will be saved to the corresponding IPv4 and IPv6 files below:

/etc/iptables/rules.v4
/etc/iptables/rules.v6

To update persistent iptables with new rules simply use iptables command to include new rules into your system. To make changes permanent after reboot run iptables-save command:

$ sudo iptables-save > /etc/iptables/rules.v4
$ sudo ip6tables-save > /etc/iptables/rules.v6

To remove persistent iptables rules simply open a relevant /etc/iptables/rules.v* file and delete lines containing all unwanted rules.

Save iptables rules on CentOS systems

In order to make your iptables rules persistent after reboot, install the iptables-services package using the dnf package manager:

$ sudo dnf install iptables-services

Any currently erected iptables rules will be saved to the corresponding IPv4 and IPv6 files below:

/etc/sysconfig/iptables
/etc/sysconfig/ip6tables

Make sure that you disable firewalld and enable the iptables service in systemd.

$ sudo systemctl stop firewalld
$ sudo systemctl disable firewalld
$ sudo systemctl start iptables
$ sudo systemctl enable iptables

You can then make sure that the service is running with the following command:

$ sudo systemctl status iptables

To update persistent iptables with new rules simply use iptables command to include new rules into your system. To make changes permanent after reboot run iptables-save command:

$ sudo iptables-save > /etc/sysconfig/iptables
$ sudo ip6tables-save > /etc/sysconfig/ip6tables

To remove persistent iptables rules simply open a relevant /etc/sysconfig/iptables or /etc/sysconfig/ip6tables file and delete lines containing all unwanted rules.

Conclusion

In this article, we saw how to make iptables fireewall rules persistent after a reboot on DEB and RPM based Linux distributions. Many systems these days have their own iptables front end, such as firewalld or ufw, which make the firewall more user friendly and will also save your rules by default.