How to Properly Start, Stop, and Manage iptables Firewall Service on Ubuntu Linux


11 views

Many Ubuntu users coming from other Linux distributions get confused when trying to manage iptables as a service. The error message "unrecognized service" occurs because Ubuntu doesn't treat iptables as a traditional service like some other distributions do.

Since Ubuntu 16.04 and later versions, iptables rules are managed differently through these primary methods:

# View current iptables rules
sudo iptables -L -n -v
sudo iptables -S  # Shows rules in command format

# Flush all rules (temporary until reboot)
sudo iptables -F

# Save current rules to make them persistent
sudo netfilter-persistent save

# Reload saved rules
sudo netfilter-persistent reload

To properly manage iptables rules that persist across reboots:

# Install persistence package if not present
sudo apt install iptables-persistent

# During installation, it will ask to save current rules
# To manually save rules later:
sudo netfilter-persistent save

# To load saved rules:
sudo netfilter-persistent reload

Ubuntu's Uncomplicated Firewall (ufw) provides a simpler interface:

# Enable ufw
sudo ufw enable

# Check status
sudo ufw status verbose

# Add a rule (e.g., allow SSH)
sudo ufw allow 22/tcp

# Disable ufw
sudo ufw disable

If you're having trouble with iptables not behaving as expected:

  1. Check if ufw is running (conflicts with direct iptables usage)
  2. Verify that the iptables-persistent package is installed
  3. Ensure rules are saved properly before rebooting

For complex setups, create and manage your own iptables scripts:

#!/bin/bash
# Basic firewall script example
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

Save this as firewall-rules.sh, make it executable (chmod +x), and run it with sudo. Remember to save the rules afterward.

Many Ubuntu users coming from other Linux distributions often get confused when trying to manage iptables. Unlike CentOS/RHEL systems where iptables runs as a standalone service, Ubuntu handles firewall rules differently.

The error "unrecognized service" occurs because modern Ubuntu versions don't use a traditional iptables service. Instead, they utilize:

1. netfilter-persistent (for saving rules)
2. ufw (Uncomplicated Firewall) as frontend
3. Direct iptables commands

Method 1: Using iptables Directly

To flush all rules (temporary):

sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Method 2: Using netfilter-persistent

For systems with iptables-persistent package:

# Save current rules
sudo netfilter-persistent save

# Reload saved rules
sudo netfilter-persistent reload

# Flush all rules (doesn't affect permanent storage)
sudo systemctl restart netfilter-persistent

Method 3: Using UFW (Recommended)

Ubuntu's default firewall management tool:

# Disable firewall
sudo ufw disable

# Enable firewall
sudo ufw enable

# Reset all rules
sudo ufw reset

After modifying rules with direct iptables commands, save them permanently:

sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

If rules don't persist after reboot:

# Install persistence package
sudo apt install iptables-persistent

# During installation, choose to save current rules
# Verify the service is enabled
sudo systemctl enable netfilter-persistent

Remember that modern Ubuntu systems (20.04+) often use nftables as backend while maintaining iptables compatibility. For new deployments, consider learning nftables syntax.