Save and restore iptables over reboot (making it persistent) using upstart

As you may already know, the configurations of iptables disappears after a reboot. My solution below is to create 2 scripts to run on shutdown and startup to save and restore the iptables rules.

Xubuntu / Ubuntu 9.04 and below

You’ll need to login as root ("su"), then go to "/etc/event.d" and create the following 2 files (name it whatever you want):

/etc/event.d/iptables_save

# Save the iptables entries on shutdown

start on runlevel 0	# Shutdown
start on runlevel 6	# Reboot

script
	SCRIPTDIR="/var/tmp/sys"
	SCRIPT="iptable_rules.txt"
	if ! test -d "$SCRIPTDIR"; then mkdir -p "$SCRIPTDIR"; fi
	iptables-save > "$SCRIPTDIR/$SCRIPT"
end script

/etc/event.d/iptables_restore

# Restores the iptables entries on startup / create secure default if file not present

# Debian doesn't distinguish between 2 --> 5, i.e. == 2
start on runlevel 2

script
	SCRIPTDIR="/var/tmp/sys"
	SCRIPT="iptable_rules.txt"
	if test -f "$SCRIPTDIR/$SCRIPT"; then
		iptables-restore < "$SCRIPTDIR/$SCRIPT"
	else
		# Block * incoming, allow associated outgoing connections
		
		# Flushes all chains
		iptables -F
		# Delete all chains
		iptables -X
		
		# Default policies
		iptables -P INPUT DROP
		iptables -P FORWARD DROP
		iptables -P OUTPUT DROP
		
		# Allow related connections - new connections are allowed in following block
		iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
		iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
		iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		# Allow new connections be made - Allow localhost --> any
		iptables -A OUTPUT  -m state --state NEW -j ACCEPT
	fi
end script

The second part of iptables_restore is meant to restore a set of secure(ish) default rule (as opposed to iptables’ default of allowing everything…) if no saved rules exist. Replace it with your own defaults if mine suck (and drop me a comment saying why!).

Please evaluate the script before using it – I’ve only tried this on my Xubuntu 8.04 setup.

As usual, if you have any suggestions / comment about this, I would love to hear from you!

Just in case you are interested, here’s a great article on linux.com on upstart:
http://www.linux.com/feature/125977

—- Update (2010-03-02 @ 09:26:50) —-

Xubuntu / Ubuntu 9.10

It seems that upstart has changed slightly in Xbuntu 9.10. Configuration files are now under /etc/init and named with a ".conf" suffix.

/etc/init/iptables_save.conf

# Save the iptables entries on shutdown

start on runlevel [06]	# 0=Shutdown, 6=Reboot

script
	SCRIPTDIR="/var/tmp/sys"
	SCRIPT="iptable_rules.txt"
	if ! test -d "$SCRIPTDIR"; then mkdir -p "$SCRIPTDIR"; fi
	iptables-save > "$SCRIPTDIR/$SCRIPT"
end script

/etc/init/iptables_restore.conf

# Restores the iptables entries on startup / create secure default if file not present

# Debian doesn't distinguish between 2 --> 5, i.e. == 2
start on runlevel 2

script
	SCRIPTDIR="/var/tmp/sys"
	SCRIPT="iptable_rules.txt"
	if test -f "$SCRIPTDIR/$SCRIPT"; then
		iptables-restore < "$SCRIPTDIR/$SCRIPT"
	else
		# Block * incoming, allow associated outgoing connections
		
		# Flushes all chains
		iptables -F
		# Delete all chains
		iptables -X
		
		# Default policies
		iptables -P INPUT DROP
		iptables -P FORWARD DROP
		iptables -P OUTPUT DROP
		
		# Allow related connections - new connections are allowed in following block
		iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
		iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
		iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		# Allow new connections be made - Allow localhost --> any
		iptables -A OUTPUT  -m state --state NEW -j ACCEPT
	fi
end script
Advertisements
Posted in Tips. 2 Comments »

2 Responses to “Save and restore iptables over reboot (making it persistent) using upstart”

  1. Tony Zuanich Says:

    Used your scripts on Ubuntu 10.0 server, worked very well

  2. Tony Zuanich Says:

    P.S. Used your 9.1 scripts on Ubuntu 10.10 server, worked very well.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: