How to start/stop iptables on Ubuntu?
I think some of the confusion comes from articles like this: cyberciti.biz/faq/turn-on-turn-off-firewall-in-linux which only applies to Fedora/Red Hat and does claim that you’d find it in /etc/init.d/ it (un)helpfully is the top link you get when googling ‘turn off iptables ubuntu’.
It seems since Ubuntu 16.04, iptables-persistent has been replaced by netfilter-persistent. install it. apt install netfilter-persistent
You can also do this: run the command: »systemctl disable iptables» and then the command »systemctl enable ufw», finally, restart the server with «reboot». This procedure will keep iptables disabled.
12 Answers 12
I don’t know about «Ubuntu», but in Linux generally, «iptables» isn’t a service — it’s a command to manipulate the netfilter kernel firewall. You can «disable» (or stop) the firewall by setting the default policies on all standard chains to «ACCEPT», and flushing the rules.
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F
(You may need to flush other tables, too, such as «nat», if you’ve used them)
The following article on the Ubuntu website describes setting up iptables for use with NetworkManager: https://help.ubuntu.com/community/IptablesHowTo
Won’t this throw away all current rules for ever? Best to save them somewhere first with sudo iptables-save > /tmp/rules
The command you are looking for is:
ufw is just a frontend for iptables: «Iptables is a firewall, installed by default on all official Ubuntu distributions (Ubuntu, Kubuntu, Xubuntu). When you install Ubuntu, iptables is there, but it allows all traffic by default. Ubuntu 8.04 Comes with ufw — a program for managing the iptables firewall easily.» help.ubuntu.com/community/IptablesHowTo
Might be, but as ufw == iptables (more or less) in Ubuntu, disabling ufw is equal to disabling iptables.
Most likely the OP was actually interested in disabling firewalls, instead of understanding the intricacies of the iptables service for managing firewalls, so this is a good answer.
I would first check if it is installed with (it probably is):
On Ubuntu, iptables is not a service. In order to stop it, you have to do the following :
sudo iptables-save > /root/firewall.rules iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
In order to restore your previous rules :
This was taken from http://www.cyberciti.biz/faq/turn-on-turn-off-firewall-in-linux/ and was tested on many Ubuntu 8.X & 9.10 installations.
I don’t know why this has so many upvotes, iptables is a kernel module. It is never a «service» that can be «stopped». They are used to tell the kernel how to handle connections. Also in a production environment you should never disable your firewall. If something doesn’t work, find the right solution, not the easy one.
Iptables is a command it’s not a service, so generally it’s not possible to use commands like
in order to start and stop the firewall, but some distros like centos have installed a service called iptables to start and stop the firewall and a configuration file to configure it. Anyway it’s possible to make a service to manage ipotables editing or installing a script for this scope. All services in linux, ubuntu is not an exception, are executable scripts inside /etc/init.d folder, that implements a standard interface (start,stop,restart) A possible script looks like this:
#!/bin/sh -e ### BEGIN INIT INFO # Provides: iptables # Required-Start: mountvirtfs ifupdown $local_fs # Default-Start: S # Default-Stop: 0 6 ### END INIT INFO # July 9, 2007 # James B. Crocker # Creative Commons Attribution - Share Alike 3.0 License (BY,SA) # Script to load/unload/save iptables firewall settings. PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" IPTABLES=/sbin/iptables IPTABLES_SAVE=/sbin/iptables-save IPTABLES_RESTORE=/sbin/iptables-restore IPTABLES_CONFIG=/etc/iptables.conf [ -x $IPTABLES ] || exit 0 . /lib/lsb/init-functions case "$1" in start) log_action_begin_msg "Starting firewall" type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 120" || true if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then log_action_end_msg $? else log_action_end_msg $? fi type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 15" || true ;; stop) log_action_begin_msg "Saving current firewall configuration" if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then log_action_end_msg $? else log_action_end_msg $? fi log_action_begin_msg "Flushing ALL firewall rules from chains!" if $IPTABLES -F ; then log_action_end_msg $? else log_action_end_msg $? fi log_action_begin_msg "Deleting ALL firewall chains [Warning: ACCEPTING ALL PORT SERVICES!]" if $IPTABLES -X ; then $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT log_action_end_msg $? else log_action_end_msg $? fi ;; save) log_action_begin_msg "Saving current firewall configuration" if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then log_action_end_msg $? else log_action_end_msg $? fi ;; force-reload|restart) log_action_begin_msg "Reloading firewall configuration [Warning: POTENTIAL NETWORK INSECURITY DURING RELOAD]" $IPTABLES -F $IPTABLES -X if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then log_action_end_msg $? else log_action_end_msg $? fi ;; *) echo "Usage: /etc/init.d/iptables " exit 1 ;; esac exit 0
This script is part of this tutorial, all the commands to configure the firewall must be inserted, according to the script above, into /etc/iptables.conf file. This script must be inserted into a file called iptables in /etc/init.d and make it executable using
and add the service to runlevels using
update-rc.d iptables defaults
You can add new rules from shell, these rules will be immediatly active and will be added to /etc/iptables.conf when service stops(it means them will be saved for sure when system shutdown).
I hope this will be helpful to everyone.
Reloading iptables
I made changes to iptables config file in /etc/iptables/filter in Ubuntu and want to reload them. I read the man page and also googled but couldn’t find the information. Any help will be appreciated.
You have neither provided any information about the version of Ubuntu you are using, nor searched the web well, before posting this question.
6 Answers 6
Normally your firewall rules are in the config file /etc/iptables.firewall.rules
To activate the rules defined in your file you must send them to iptables-restore (you can use another file if you want):
And you can check that they are activated with:
If you want to activate the same rules each time you boot the computer create this file:
sudo nano /etc/network/if-pre-up.d/firewall
#!/bin/sh /sbin/iptables-restore < /etc/iptables.firewall.rules
And give it permission of execution:
sudo chmod +x /etc/network/if-pre-up.d/firewall
Example file for /etc/iptables.firewall.rules :
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP COMMIT
Just had an issue upgrading to Ubuntu 20.04.2 LTS. The location of iptables-restore changed from /sbin/iptables-restore to /usr/sbin/iptables-restore .
Be sure to check with whereis iptables-restore your system location or your network interface will not be raised.
If you don't have network after an upgrade, you can check the reason with sudo systemctl status networking.service -l , on my case:
Failed to start Raise network interfaces. if-pre-up.d/firewall: 2: /sbin/iptables-restore: not found
Iptables reload/restart on Ubuntu
but on Ubuntu it does not work. I could not find iptable under init.d neither. Can anybody help me out how can I restart or reload it on Ubuntu 18.04?
So ubuntu 1804 delete iptables-save from the default installation? I used to spend serval days to study how to use iptables-save, then it is disappear from the default installation, WTF? So which linux kernel syscall should I use to get the same effect as iptables-save in case ubuntu 2004 delete ufw from the default installation?
5 Answers 5
If you would like your Ubuntu firewall to function in a similar way to RedHat/Fedora, in Ubuntu 18.04 20.04 22.04, you probably want these:
sudo apt install iptables-persistent netfilter-persistent
Then edit the rules in /etc/iptables/rules.v[46]
Other commands that might be useful:
netfilter-persistent save netfilter-persistent start iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6 systemctl stop netfilter-persistent systemctl start netfilter-persistent systemctl restart netfilter-persistent
If you ever find that your rules aren't correctly applied at boot, you can run these commands to test that there are not errors in your config files:
The two packages are similar, but provide slightly different functionality. If you only install iptables-persistent , you won't get the service definition file for correct handling in systemd, eg /lib/systemd/system/netfilter-persistent.service
If you only install netfilter-persistent , you will find that rules are not correctly applied at boot, as per the README
netfilter-persistent and its plugins ------------------------------------ netfilter-persistent does no work on its own. You need the accompanying plugins (for example, iptables-persistent) to load and save filter rules. However, commands are run from netfilter-persistent. For example, to save all filter rules: netfilter-persistent save or to load them: netfilter-persistent start For more details, see `man netfilter-persistent`. The system service will try to load rules at startup if enabled, but by default it will not flush rules at shutdown. This behaviour can be changed by editing /etc/default/netfilter-persistent.
afaict, netfilter-persistent save will also update /etc/iptables/rules.v4/6 , which if correct, I think noting iptables-save > /etc/iptables/rules.v4/6 as well is unnecessary.
That is true, but the additional commands were included for completeness. Personally, I never use the netfilter-persistent save command because it includes comments and doesn't zero the counters.
In newer distributions you normally have a frontend to configure and manage the firewall. The most popular these days are ufw and firewalld and maybe shorewall . Those frontends also take care to add the rules in iptables and the iptables script can be skipped or better to say should be skipped, as the frontends will not pick up your changes you have done with iptables command directly.
For Ubuntu 18.04, it seems firewalld has become the default where ufw is installed but inactive.
root@localhost:~# firewall-cmd --state running root@localhost:~# ufw status Status: inactive
So rather than creating own iptables conform rules you should use these frontends to create your firewall configuration.
I am not familiar with ufw but sure you will find information here with askubuntu or somewhere else on the internet.
firewalld comes with a GUI ( firewall-config ) and a command line tool firewall-cmd .
With firewalld you have the option to add rules without applying it right now (permanent) and apply it only after a firewall reload. Or you can add them to your runtime configuration, test it and add it then to your permanent configuration.
To reload e.g. a newly added permanent configuration to your running rules you would have to enter the command as follows or do the corresponding clicks in the GUI.
It might look a bit more complicated on the first glance, since firewalld is following zones and an chains concept. But it nicely integrates with NetworkManager, ships a GUI.
A good starting point to get familiar with it is here.