How to Backup and Restore iptables Rules: A Complete Guide for Linux System Administrators


1 views

The most straightforward way to save your iptables rules is using the iptables-save command. This utility dumps all your current rules to stdout, which you can redirect to a file:

sudo iptables-save > /path/to/backup/iptables-backup.rules

For IPv6 rules (if you're using ip6tables):

sudo ip6tables-save > /path/to/backup/ip6tables-backup.rules

To restore from your backup file, use the iptables-restore command:

sudo iptables-restore < /path/to/backup/iptables-backup.rules

For IPv6:

sudo ip6tables-restore < /path/to/backup/ip6tables-backup.rules

For more robust solutions, consider these approaches:

# Save rules with comments (timestamp, purpose, etc.)
sudo iptables-save -c > /path/to/backup/iptables-with-counters.rules

# Save only specific tables
sudo iptables-save -t nat > /path/to/backup/iptables-nat.rules

Create a cron job to automatically backup your rules daily:

# Add to crontab -e
0 3 * * * /sbin/iptables-save > /var/backups/iptables/$(date +\%Y-\%m-\%d).rules

Always verify your backup file contains the expected rules:

less /path/to/backup/iptables-backup.rules

Or count the number of rules to ensure nothing was missed:

sudo iptables -L --line-numbers | wc -l
sudo iptables-save | wc -l

When you've spent hours crafting the perfect iptables firewall rules, the last thing you want is to lose them during a system reboot or misconfiguration. Here's how to preserve your rules:

# Save IPv4 rules
sudo iptables-save > /etc/iptables.rules.v4

# Save IPv6 rules (if used)
sudo ip6tables-save > /etc/iptables.rules.v6

The saved rules file follows a specific structure:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT

Each section represents a table (filter, nat, mangle), followed by chain policies and rules.

To automatically restore rules on boot, create a simple init script or use your distribution's preferred method:

# For systemd systems:
sudo iptables-restore < /etc/iptables.rules.v4
sudo ip6tables-restore < /etc/iptables.rules.v6

For complex setups, consider creating a rules package:

#!/bin/bash
# Save rules with timestamp
BACKUP_DIR=/var/backups/iptables
mkdir -p $BACKUP_DIR
iptables-save > $BACKUP_DIR/iptables-$(date +%Y%m%d-%H%M%S).v4
# Keep last 7 backups
ls -t $BACKUP_DIR/iptables-*.v4 | tail -n +8 | xargs rm -f

Always test your backups:

# Flush current rules
sudo iptables -F
# Restore from backup
sudo iptables-restore < /etc/iptables.rules.v4
# Verify rules
sudo iptables -L -n -v

For more sophisticated management:

  • iptables-persistent package (Debian/Ubuntu)
  • firewalld (RHEL/CentOS)
  • ufw (User-friendly wrapper)