This is a fork of Debian's iptables-persistent package that loads iptables rules using rules specified at
UPDATE 2018-05-27: This is not maintained anymore and may or may not work with current Debian setups. Use at your own risk.
UPDATE 2014-09-20: The iptables-persistent package in Debian jessie has significanlty changed compared to the previous version, and has somehow been renamed to netfilter-persistent. This script is not related to netfilter-persistent at all.
This version is modified to properly handle fail2ban's rules reloading when starting/stopping/reloading iptables's rules via iptables-persistent (fail2ban inserts its own rules at the beginning of iptables current ruleset when (re)started). If fail2ban is not installed, iptables-persistent will ignore any action related to file2ban.
For IPv6 enabled servers, ip6tables rules management is properly handled too, by activating the corresponding parameter in the configuration file (see below).
An example set of rules is included as quickstart. It is pretty restrictive: forwarding is disabled and only DNS, ping and SSH are allowed inbound by default. You MUST review it and edit it to suit your needs!.
copy the init.d script
/etc/init.d/and make it executable
/etc/default/iptables-persistent.confand edit it to suit your needs
/etc/iptables/rulesand edit it to suit your needs
/etc/iptables/ipv6_rulesand edit it to suit your needs (you can copy this file even if you don't activate IPv6 support in the configuration, it will be ignored)
make iptables-persistent to be lauched at startup
update-rc.d iptables-persistent defaults
/etc/default/iptables-persistent.conf to set the following parameters:
SAVE_NEW_RULES (default: 0) - if set different than 0 then the current iptables ruleset will be saved with iptables-save when iptables-persistent is stopped (or restarted)
MODULES (default: "") - a space-separated list of the modules that iptables-persistent should load/unload. Useful to activate FTP connection tracking for example.
IPV6 (default: 0) - if set different than 0 it will additionnaly use ip6tables to handle the loading/unloading of the ruleset stored at
ENABLE_ROUTING (default: 0) – if set different than 0 then routing is enabled (in
/proc/sys/net/ipv6/conf/all/forwarding), otherwise it’s not.