debian 8 iptables 持久化

Question

i have VPS Debian 8 jessie x64 stable release. After installation im trying to configure iptables (like in debian 7).

apt-get install iptables-persistent

executed succesefully, some packets were installed. but when im trying

service iptables-persistent start

im getting an error that says thar service iptables-persistent unrecognized

halp!

Answer 1

Persist IP Tables Debian/Ubuntu

To persist any changes you make to your iptables rules, do the following.

Install iptables-persistent:

sudo apt-get install -y iptables-persistent

Make any changes you want to your iptables rules, eg

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

Then run

sudo dpkg-reconfigure -y iptables-persistent

The rules should persist after a reboot now.

Extra Info

The dpkg-reconfigure just causes iptables-persistent to do again what it does at install, which is to save the current iptables into a file using a command just like:

iptables-save >/etc/iptables/rules.v4
ip6tables-save >/etc/iptables/rules.v6

The iptables-persistent package causes the os to run something like the following on reboot.

iptables-restore < /etc/iptables/rules.v4
ip6tables-restore < /etc/iptables/rules.v6

Hope this helps : )

Answer 2

I just stumbled over OP's problem, too (and then his question); found the solution when looking at the package description for iptables-persistent . The new interface seems to be netfilter-persistent, that is use eg:

# invoke-rc.d netfilter-persistent save

At least that is what worked for me, HTH ...

Answer 3

Update 8/7/16: It depends on the distro. The following comment content was entered in ignorance of whether the OP distro has a netfilter-persistent package. My apologies. My laptop distro (Mint) does not contain the netfilter-persistent package while my servers distros (Ubuntu 15+) do.

Original answer: As Oliver correctly says, netfilter-persistent replaces iptables-persistent in Ubuntu. What worked with Ubuntu 15.04 was as follows:

Install it, then make sure it is running as a service: service --status-all | grep netfilter-persistent service --status-all | grep netfilter-persistent

If not running as a service, start it once for all time with: invoke-rc.d netfilter-persistent start

Then you must place a script someplace that will run when the network or its interfaces stop. The important script content is simply: invoke-rc.d netfilter-persistent save

I put the script in /etc/network/if-post-down.d directory. Don't forget to chmod it to executable. If power outages are any likelihood, you could make a cron entry for the save command.

Answer 4

iptables-persistent has been recommand on debian wiki many times .

to install it:

apt install iptables-persistent 

iptables-persistent create the config files and use the package netfilter-persistent to reload or save iptables rules now

the iptables config files are at folder

/etc/iptables/rules.v4
/etc/iptables/rules.v6

the main manage tool is:

/usr/sbin/netfilter-persistent # you should be root or call sudo to use it

when you want to change iptable rules , edit the config files then reload iptables rules

netfilter-persistent reload

or you can use iptables -I INPUT ... to change iptables rules first then save it to config files

netfilter-persistent save

if you want to clear the iptables rules ,you can use flush command

netfilter-persistent flush 

Answer 5

The problem was in firewalld service. This is some kind of new firewall daemon which conflicts with netfilter(iptables)-persistent.

chkconfig firewalld off

and now all is working fine.

Disclaimer: this is not best practice, just a temporary wworkaround.