Posts Tagged ‘iptables changes’

Saving Changes for iptables

May 26, 2009 4 comments

Whenever you make a change to your firewall, on a Fedora/CentOS type system, you will want to save the changes.

The output can be redirected to a file.

# iptables-save > /root/firewall-rules
The following command line restores all rules from /root/firewall-rules assuming that the file /root/firewall-rules exists.

# iptables-restore < /root/firewall-rules

By default, iptables-restore deletes all existing rules before restoring the saved rules. If the saved rules are to be appended to existing rules, use the -n or –noflush option.

Save Your Firewall and Load on Restart

You will need to edit the /etc/sysconfig/iptables-config as root to help iptables save and reload your firewall correctly. Be sure the following settings are changed to “yes”.

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be ‘yes’ to get to a sane state for a firewall
# restart or stop. Only set to ‘no’ if there are problems unloading netfilter
# modules.

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.

iptables Configuration Files

CentOS and other Red Hat based distributions set iptables rules in /etc/sysconfig/iptables, which may be generated by redirecting the output of iptables-save as follows.

# iptables-save > /etc/sysconfig/iptables
The rules are automatically restored by the script /etc/init.d/iptables at startup. No modification to /etc/init.d/iptables is required.

Note that Red Hat based distributions place iptables and related executables in /sbin, not in /usr/sbin.

iptables is not a daemon but it does load rules into memory. This means that rules will not be persistent over a restart. However, if you do the save command it will save the currently loaded rules into a file called: /etc/sysconfig/iptables

service iptables save