How to Import and Apply iptables Rules from a File in Linux


1 views

When your system administrator hands you a file containing iptables rules (often with extensions like .dat, .rules, or .conf), it typically contains a series of commands that define your firewall's behavior. These rules might look like this:


*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

To import these rules in one command, use:


iptables-restore < /path/to/your/rules/file.dat

This reads the rules from the file and applies them immediately. The < operator redirects the file's content into the iptables-restore command.

If you need to append rules to existing ones rather than replacing them:


iptables-restore -n < /path/to/file.dat

The -n flag prevents counters from being reset.

After loading, check if the rules were applied correctly:


iptables -L -n -v

This displays all current rules with packet/byte counters.

To ensure rules survive reboots:


# For Debian/Ubuntu:
iptables-save > /etc/iptables/rules.v4

# For CentOS/RHEL:
service iptables save
  • Ensure the file has proper permissions (readable by root)
  • Check for syntax errors in the rules file first
  • Consider testing rules in a non-production environment

To load only specific chains from a file:


iptables-restore --table filter < filtered_rules.dat

This loads only the filter table rules.

If you just need the magic command your sysadmin used, here it is:

iptables-restore < /path/to/your/rules/file.dat

Or alternatively:

cat /path/to/rules.dat | iptables-restore

When dealing with iptables configurations, there are two main approaches to apply rules from a file:

  • iptables-restore: The proper way to load a complete ruleset (what we'll focus on)
  • Executing as script: When the file contains individual iptables commands

Before applying, check if your file is in the correct format for iptables-restore:

# Example of valid restore format
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT

If your file contains individual commands like this, you'll need to execute it as a script instead:

#!/bin/bash
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

For production systems, consider these safety measures:

# 1. First test in non-persistent mode
iptables-restore --test < rules.dat

# 2. Create a backup before applying
iptables-save > /etc/iptables.backup

# 3. Apply temporarily (won't survive reboot)
iptables-restore --noflush < rules.dat

# 4. For permanent application (on most distros)
iptables-restore < rules.dat
iptables-save > /etc/sysconfig/iptables  # or /etc/iptables/rules.v4

If things go wrong:

# View current rules to verify changes
iptables -L -n -v

# Reset to default if needed
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Check for syntax errors in your file
iptables-restore --test < yourfile.dat

For recurring use, create a helper script:

#!/bin/bash
# save as: /usr/local/bin/load-iptables

BACKUP_DIR="/var/backups/iptables"
RULES_FILE="/etc/iptables/rules.v4"

mkdir -p "$BACKUP_DIR"
iptables-save > "$BACKUP_DIR/iptables-$(date +%Y%m%d-%H%M%S).bak"

if iptables-restore --test < "$RULES_FILE"; then
    iptables-restore < "$RULES_FILE"
    echo "Rules applied successfully"
else
    echo "ERROR: Invalid rules detected - restoring previous config"
    iptables-restore < "$(ls -t $BACKUP_DIR/iptables-*.bak | head -1)"
fi

Make it executable with:

chmod +x /usr/local/bin/load-iptables