How to Properly Start, Stop, and Manage iptables Firewall Service on Ubuntu Linux


2 views

Many Ubuntu users coming from other Linux distributions get confused when trying to manage iptables as a service. The error message "unrecognized service" occurs because Ubuntu doesn't treat iptables as a traditional service like some other distributions do.

Since Ubuntu 16.04 and later versions, iptables rules are managed differently through these primary methods:

# View current iptables rules
sudo iptables -L -n -v
sudo iptables -S  # Shows rules in command format

# Flush all rules (temporary until reboot)
sudo iptables -F

# Save current rules to make them persistent
sudo netfilter-persistent save

# Reload saved rules
sudo netfilter-persistent reload

To properly manage iptables rules that persist across reboots:

# Install persistence package if not present
sudo apt install iptables-persistent

# During installation, it will ask to save current rules
# To manually save rules later:
sudo netfilter-persistent save

# To load saved rules:
sudo netfilter-persistent reload

Ubuntu's Uncomplicated Firewall (ufw) provides a simpler interface:

# Enable ufw
sudo ufw enable

# Check status
sudo ufw status verbose

# Add a rule (e.g., allow SSH)
sudo ufw allow 22/tcp

# Disable ufw
sudo ufw disable

If you're having trouble with iptables not behaving as expected:

  1. Check if ufw is running (conflicts with direct iptables usage)
  2. Verify that the iptables-persistent package is installed
  3. Ensure rules are saved properly before rebooting

For complex setups, create and manage your own iptables scripts:

#!/bin/bash
# Basic firewall script example
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

Save this as firewall-rules.sh, make it executable (chmod +x), and run it with sudo. Remember to save the rules afterward.

Many Ubuntu users coming from other Linux distributions often get confused when trying to manage iptables. Unlike CentOS/RHEL systems where iptables runs as a standalone service, Ubuntu handles firewall rules differently.

The error "unrecognized service" occurs because modern Ubuntu versions don't use a traditional iptables service. Instead, they utilize:

1. netfilter-persistent (for saving rules)
2. ufw (Uncomplicated Firewall) as frontend
3. Direct iptables commands

Method 1: Using iptables Directly

To flush all rules (temporary):

sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Method 2: Using netfilter-persistent

For systems with iptables-persistent package:

# Save current rules
sudo netfilter-persistent save

# Reload saved rules
sudo netfilter-persistent reload

# Flush all rules (doesn't affect permanent storage)
sudo systemctl restart netfilter-persistent

Method 3: Using UFW (Recommended)

Ubuntu's default firewall management tool:

# Disable firewall
sudo ufw disable

# Enable firewall
sudo ufw enable

# Reset all rules
sudo ufw reset

After modifying rules with direct iptables commands, save them permanently:

sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

If rules don't persist after reboot:

# Install persistence package
sudo apt install iptables-persistent

# During installation, choose to save current rules
# Verify the service is enabled
sudo systemctl enable netfilter-persistent

Remember that modern Ubuntu systems (20.04+) often use nftables as backend while maintaining iptables compatibility. For new deployments, consider learning nftables syntax.