Debian iptables Rules Not Loading from /etc/network/if-pre-up.d: Debugging and Solutions


2 views

When implementing iptables persistence on Debian systems, the expected behavior is that rules defined in /etc/firewall/iptables.rules should load automatically during network interface initialization. The standard approach involves creating an executable script in /etc/network/if-pre-up.d/, yet as reported, the rules fail to apply after reboot.

The current implementation appears correct at first glance:

#!/bin/sh
/sbin/iptables-restore < /etc/firewall/iptables.rules
/sbin/ip6tables-restore < /etc/firewall/ip6tables.rules

Several factors could prevent proper execution:

  1. Missing execute permissions: Verify with ls -l /etc/network/if-pre-up.d/iptables
  2. Network manager interference: Some Debian installations use NetworkManager which may bypass traditional networking scripts
  3. Boot timing issues: The iptables service might initialize before network interfaces

Method 1: Systemd Service Unit

Create /etc/systemd/system/iptables-restore.service:

[Unit]
Description=Restore iptables rules
After=network.target
Wants=network.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/firewall/iptables.rules
ExecStart=/sbin/ip6tables-restore /etc/firewall/ip6tables.rules

[Install]
WantedBy=multi-user.target

Then enable with:
systemctl enable iptables-restore.service

Method 2: Package-Based Solution

Install the iptables-persistent package:
apt install iptables-persistent

This creates /etc/iptables/rules.v4 and /etc/iptables/rules.v6 that load automatically.

To diagnose why the if-pre-up script fails:

  1. Add logging: 
    #!/bin/sh
logger -t iptables-restore "Attempting to restore rules"
/sbin/iptables-restore < /etc/firewall/iptables.rules || logger -t iptables-restore "IPv4 restore failed"
/sbin/ip6tables-restore < /etc/firewall/ip6tables.rules || logger -t iptables-restore "IPv6 restore failed"
  2. Check logs post-reboot with:
    journalctl -b | grep iptables-restore

The interfaces file shows DHCP configuration. Verify if the interface actually comes up during boot:

systemctl status networking.service
ip a show eth0

If interface activation fails, the pre-up scripts won't execute.

When configuring iptables persistence on Debian systems, many administrators encounter situations where scripts placed in /etc/network/if-pre-up.d/ don't execute during boot. The specific case involves:

#!/bin/sh
/sbin/iptables-restore < /etc/firewall/iptables.rules
/sbin/ip6tables-restore < /etc/firewall/ip6tables.rules

Several factors could cause this behavior:

  • The script lacks executable permissions (chmod +x /etc/network/if-pre-up.d/iptables)
  • Network interface configuration uses allow-hotplug instead of auto
  • Missing network interface dependencies in the script

Solution 1: Use a Systemd Service (Modern Approach)

# /etc/systemd/system/iptables.service
[Unit]
Description=Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/rules.v4
ExecStart=/sbin/ip6tables-restore /etc/iptables/rules.v6

[Install]
WantedBy=multi-user.target

Then run:

systemctl enable iptables.service
systemctl start iptables.service

Solution 2: Modify Network Configuration

# Change in /etc/network/interfaces
auto eth0
iface eth0 inet dhcp

To verify if the script executes:

# Add debugging to your script
#!/bin/sh -x
logger "iptables-pre-up started"
/sbin/iptables-restore < /etc/firewall/iptables.rules || logger "iptables restore failed"
/sbin/ip6tables-restore < /etc/firewall/ip6tables.rules || logger "ip6tables restore failed"

Check logs with:

journalctl -xe
# or
grep iptables /var/log/syslog

For Debian-based systems, consider these packages:

apt install iptables-persistent
# After installation:
netfilter-persistent save
netfilter-persistent reload