Reloading iptables

I made changes to iptables config file in /etc/iptables/filter in Ubuntu and want to reload them. I read the man page and also googled but couldn't find the information. Any help will be appreciated.


Solution 1:

Normally your firewall rules are in the config file /etc/iptables.firewall.rules

To activate the rules defined in your file you must send them to iptables-restore (you can use another file if you want):

sudo iptables-restore < /etc/iptables.firewall.rules

And you can check that they are activated with:

sudo iptables -L

If you want to activate the same rules each time you boot the computer create this file:

sudo nano /etc/network/if-pre-up.d/firewall

With this content:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

And give it permission of execution:

sudo chmod +x /etc/network/if-pre-up.d/firewall

Hope it helps you =)

Example file for /etc/iptables.firewall.rules:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Edit 2021-08:

Just had an issue upgrading to Ubuntu 20.04.2 LTS. The location of iptables-restore changed from /sbin/iptables-restore to /usr/sbin/iptables-restore.

Be sure to check with whereis iptables-restore your system location or your network interface will not be raised.

If you don't have network after an upgrade, you can check the reason with sudo systemctl status networking.service -l, on my case:

Failed to start Raise network interfaces.
if-pre-up.d/firewall: 2: /sbin/iptables-restore: not found

Solution 2:

Easiest way is to reboot (also if below does not work, reboot, check if that made the change).

Second easiest is to restart the daemons using iptables configurations (google: restart daemon ubuntu).

examples (depends your configuration):

/etc/init.d/iptables restart  

/etc/init.d/networking restart  

/etc/init.d/firewall restart

Solution 3:

If you've executed your rules they are already running and no reloading is necessary. In case where you have a configuration file but it hasn't been executed best way I've seen so far is to use iptables-apply (an iptables extension).

iptables-apply -t 60 your_rules_file

This will apply the rules for 60 seconds (10 by default) and revert them if you don't confirm them. This will save you in case you are thrown out of the system because of the rules (ex. if you are operating through ssh).

You can use the following as a replacement:

iptables-restore < your_rules_file; sleep 60; iptables-restore < clean_rules

Solution 4:

sudo ufw reload

Will reload firewall and its rules.