Many sysadmins face the frustrating issue where their carefully configured iptables rules disappear after a reboot. This is particularly common on cloud instances like AWS EC2 where network interfaces behave differently than traditional servers.
The traditional approach of placing scripts in /etc/network/if-pre-up.d/ often fails because:
- Cloud-init may initialize networking before these scripts run
- Network interfaces come up in unpredictable order
- Some AMIs have custom network initialization sequences
Here are several proven methods to persist iptables rules:
Method 1: Using rc.local
Edit /etc/rc.local:
#!/bin/sh -e
#
# rc.local
iptables-restore < /etc/iptables.rules
exit 0
Make it executable:
chmod +x /etc/rc.localMethod 2: Systemd Service
Create /etc/systemd/system/iptables-restore.service:
[Unit]
Description=Restore iptables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables.rules
[Install]
WantedBy=multi-user.target
Then enable it:
systemctl enable iptables-restore.serviceMethod 3: Network Manager Dispatcher
For systems using NetworkManager:
cat > /etc/NetworkManager/dispatcher.d/99-restore-iptables <<'EOF'
#!/bin/bash
if [ "$1" = "up" ]; then
/sbin/iptables-restore < /etc/iptables.rules
fi
EOF
chmod +x /etc/NetworkManager/dispatcher.d/99-restore-iptables
When working with persistent rules:
- Always test rules before making them persistent
- Use
iptables-save > /etc/iptables.rulesto create a clean rules file - Consider using
iptables-persistentpackage if available - Document your rules with comments in the rules file
If your rules still aren't loading:
- Check system logs:
journalctl -xe - Verify network interface names match your configuration
- Test rules manually before automating
- Consider adding a delay before rule restoration
When working with Amazon EC2 VPC NAT instances running Debian-based AMIs (like ami-1de2d969), administrators often struggle with persisting iptables rules across reboots. The standard Debian approach of using /etc/network/if-pre-up.d/ scripts frequently fails in these cloud environments due to differences in network initialization.
The Amazon EC2 environment has several unique characteristics that affect iptables persistence:
- Network interfaces are managed by cloud-init
- Traditional network initialization scripts might execute too early
- The NAT instance role requires specific rule ordering
After extensive testing on production VPC NAT instances, here are the most reliable approaches:
Method 1: rc.local Approach
While not elegant, this method proves consistently reliable:
#!/bin/bash
iptables-restore < /etc/firewall.conf
exit 0Save this to /etc/rc.local and ensure the file is executable.
Method 2: Systemd Service Unit
For modern Debian systems using systemd:
[Unit]
Description=Restore iptables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/firewall.conf
[Install]
WantedBy=multi-user.targetSave as /etc/systemd/system/iptables-restore.service and enable with:
systemctl enable iptables-restore.serviceFor production environments, consider this enhanced approach:
#!/bin/bash
# Wait for network interfaces to stabilize
sleep 5
# Flush existing rules
iptables -F
iptables -t nat -F
# Restore persistent rules
iptables-restore < /etc/firewall.conf
# Additional EC2-specific rules
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
logger "iptables rules restored on instance $INSTANCE_ID"- Verify rule loading with
iptables -L -n -v - Check system logs for errors
- Test reboots using AWS Systems Manager rather than terminating instances
- Consider using AWS Network Firewall for critical rules
When working with iptables on EC2:
- Always maintain a backup SSH session when modifying rules
- Use AWS Session Manager as a fallback access method
- Document rule changes in version control
- Consider Terraform or CloudFormation for infrastructure-as-code management