Reloading iptables
I made changes to iptables config file in /etc/iptables/filter
in Ubuntu and want to reload them. I read the man page and also googled but couldn't find the information. Any help will be appreciated.
Solution 1:
Normally your firewall rules are in the config file /etc/iptables.firewall.rules
To activate the rules defined in your file you must send them to iptables-restore
(you can use another file if you want):
sudo iptables-restore < /etc/iptables.firewall.rules
And you can check that they are activated with:
sudo iptables -L
If you want to activate the same rules each time you boot the computer create this file:
sudo nano /etc/network/if-pre-up.d/firewall
With this content:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
And give it permission of execution:
sudo chmod +x /etc/network/if-pre-up.d/firewall
Hope it helps you =)
Example file for /etc/iptables.firewall.rules
:
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
Edit 2021-08:
Just had an issue upgrading to Ubuntu 20.04.2 LTS. The location of iptables-restore
changed from /sbin/iptables-restore
to /usr/sbin/iptables-restore
.
Be sure to check with whereis iptables-restore
your system location or your network interface will not be raised.
If you don't have network after an upgrade, you can check the reason with sudo systemctl status networking.service -l
, on my case:
Failed to start Raise network interfaces.
if-pre-up.d/firewall: 2: /sbin/iptables-restore: not found
Solution 2:
Easiest way is to reboot (also if below does not work, reboot, check if that made the change).
Second easiest is to restart the daemons using iptables configurations (google: restart daemon ubuntu).
examples (depends your configuration):
/etc/init.d/iptables restart
/etc/init.d/networking restart
/etc/init.d/firewall restart
Solution 3:
If you've executed your rules they are already running and no reloading is necessary. In case where you have a configuration file but it hasn't been executed best way I've seen so far is to use iptables-apply
(an iptables extension).
iptables-apply -t 60 your_rules_file
This will apply the rules for 60 seconds (10 by default) and revert them if you don't confirm them. This will save you in case you are thrown out of the system because of the rules (ex. if you are operating through ssh).
You can use the following as a replacement:
iptables-restore < your_rules_file; sleep 60; iptables-restore < clean_rules
Solution 4:
sudo ufw reload
Will reload firewall and its rules.