Restoring IPtables when box reboots

Todays post is also going to be short.
I have a VPS server running and the other day they had to reboot my host because of maintenance. Things is I lost my running iptables when the box was rebooted. So how do we get this fixed? You can create a script and us update-rc.d and make it run on the default runlevel. However, we are going to do it different. We will use /etc/network/interfaces and iptables-restore.

We first make a backup of the running iptables setup.

server:~# iptables-save > /etc/iptables 

We now check configuration was saved.

server:~# cat /etc/iptables 
# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010
*security
:INPUT ACCEPT [1296:124154]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1011:120172]
COMMIT
# Completed on Tue Sep 21 19:09:48 2010
# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010
*raw
:PREROUTING ACCEPT [1296:124154]
:OUTPUT ACCEPT [1011:120172]
COMMIT
# Completed on Tue Sep 21 19:09:48 2010
# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010
*nat
:PREROUTING ACCEPT [29:2270]
:POSTROUTING ACCEPT [131:9748]
:OUTPUT ACCEPT [131:9748]
COMMIT
# Completed on Tue Sep 21 19:09:48 2010
# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010
*mangle
:PREROUTING ACCEPT [1296:124154]
:INPUT ACCEPT [1296:124154]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1011:120172]
:POSTROUTING ACCEPT [1011:120172]
COMMIT
# Completed on Tue Sep 21 19:09:48 2010
# Generated by iptables-save v1.4.2 on Tue Sep 21 19:09:48 2010
*filter
:INPUT ACCEPT [1296:124154]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1011:120172]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP 
COMMIT
# Completed on Tue Sep 21 19:09:48 2010
server:~# 

Previous configuration was very simple. It’s made to basically block brute ssh attacks.
Now we need to modify /etc/network/interfaces to make is run after interface is configured. Add the following in /etc/network/interfaces.

post-up iptables-restore < /etc/iptables

This addition will make iptables configuration take effect when box reboots and networking is configured. Below is the proof.

server:~# iptables -F; iptables -L; date ; /etc/init.d/networking restart; iptables -L; date
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
mar sep 21 19:15:37 EDT 2010
Reconfiguring network interfaces...SIOCDELRT: No such process
if-up.d/mountnfs[eth0]: waiting for interface eth0:1 before doing NFS mounts (warning).
done.
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
           tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: SET name: SSH side: source 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: UPDATE seconds: 60 
\hit_count: 4 TTL-Match name: SSH side: source 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
mar sep 21 19:15:37 EDT 2010
server:~# 

We clean all iptables rules and restart networking. We see iptables rules take effect after restart. This is it, no more for today. Suggestions are always welcome. 🙂

Leave a Reply