Making IPTables Rules Persistent on Ubuntu 16.04 (Xenial)
Making IPTables Rules Persistent on Ubuntu 16.04 (Xenial)

Boy I often see some silly tutorials and solutions out there when it comes to Ubuntu. It’s been no different when it came to making IPTables rules persistent after reboots on Ubuntu 16.04 LTS server, it seems people just don’t know what the hell they are talking about and certainly don’t know how to do things properly.

To make your IPTables rules persistent across reboots on Ubuntu 16.04 LTS Server.

First make sure IPTables Persistent is installed

sudo apt-get install iptables-persistent netfilter-persistent

When the setup for iptables persistent runs you can just say Yes to both questions to saving current rules for v4 and v6 in /etc/iptables

Now copy these basic rules below. This IPTables ruleset below will open ports for running a Webserver, SSH, Webmin and also protect you against a number of common port attacks. This is very basic, my firewall rules are a lot more complex than this but will go into that more on another tutorial.

# Generated by iptables-save v1.6.0 on Thu Aug 11 10:31:49 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j LOG --log-prefix "[FW - SSH: ]"
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j LOG --log-prefix "[ FW - PORTSCAN - SQL: ]"
-A INPUT -p tcp -m tcp --dport 3306 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j LOG --log-prefix "[ FW - WEBMIN Accessed: ]"
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-net-unreachable
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[IPTABLES - PORTSCAN: ]"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
-A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --sport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[IPTABLES - PORTSCAN: ]"
-A FORWARD -p tcp -m tcp --sport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Thu Aug 11 10:31:49 2016
# Generated by iptables-save v1.6.0 on Thu Aug 11 10:31:49 2016
*mangle
:PREROUTING ACCEPT [486:55261]
:INPUT ACCEPT [460:54025]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [363:276351]
:POSTROUTING ACCEPT [363:276351]
COMMIT
# Completed on Thu Aug 11 10:31:49 2016
# Generated by iptables-save v1.6.0 on Thu Aug 11 10:31:49 2016
*nat
:PREROUTING ACCEPT [57:2792]
:INPUT ACCEPT [30:1524]
:OUTPUT ACCEPT [20:1614]
:POSTROUTING ACCEPT [20:1614]
COMMIT
# Completed on Thu Aug 11 10:31:49 2016

And now edit the file called rules.v4 created by IPTables persistent and paste these into the file.

sudo nano /etc/iptables/rules.v4

Delete the existing rules in the file and paste the rules from above into the file and now save the file.

CRTL+X and Y

Now import the rules above into iptables

sudo iptables-restore < /etc/iptables/rules.v4

Now save the rules

sudo iptables-save

Now save the rules to the upstart files to make 100% sure they load at startup

sudo iptables-save > /etc/iptables.up.rules

Confirm they are now loaded into IPTables by running.

sudo iptables -S

Reboot your server and once rebooted your rules loaded by running

sudo iptables -S

DONE !!! and so SIMPLE !!!

Everytime you modify your firewall rules you simply edit /etc/iptables/rules.v4 and make your changes and save the file.

Then you simply repeat the process.

sudo iptables-restore < /etc/iptables/rules.v4

Now save the rules again and reboot.

sudo iptables-save

5 thoughts on “Making IPTables Rules Persistent on Ubuntu 16.04 (Xenial)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.