Saving Iptables Firewall Rules Permanently

What is the proper way for saving iptables rules?
I know that I can use iptables-save/iptables-restore, but where to put iptables-restore?
Should I put it in /etc/rc.local or should I use iptables-persistent package?

What is the preferred way?

I know how to do it, I am just asking for the proper way.

If you knew how to do it then why ask ? there is a working way and there is failure

since the distro uses iptables per default its not gonna break if you add the persistent package

So, you are suggesting iptables save/restore in Rd . local?

Ideally you want want restore as a ifup.d rule but ConnMan does not support this at this time


run as root

sudo -s

Save current firewall rules to file

iptables-save > /etc/firewall.conf


echo ‘#!/bin/sh’ > /etc/network/if-up.d/iptables
echo “iptables-restore < /etc/firewall.conf” >> /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables


echo ‘#!/bin/sh’ > /etc/network/if-down.d/iptables
echo “iptables-save > /etc/firewall.conf” >> /etc/network/if-down.d/iptables
chmod +x /etc/network/if-down.d/iptables

is working for me

if you what to save your iptables rules after an change to iptables just run below… but it will run the same command on reboot or shutdown.

iptables-save > /etc/firewall.conf

1 Like

install iptables-persistent, that will take care of all loading at boot time.

If your want to save manually you do a “netfilter-persistent save”. Why debian changed it to netfilter is beyond me.

You will get 2 files in /etc/iptables. rules.v4 and rules.v6. They are plain textfiles and are iptables commands which you can modify and load with “netfilter-persistent reload”

I will try it. Thanks.

If you are using CentOS 6 or Red Hat, you can save it like this:
$ iptables-save > /etc/sysconfig/iptables
Or if you are using CentOS 7, you can save it like this:
$ service iptables save
But if you are using Debian based distro, you can use iptables-persistent to save rules.
$ netfilter-persistent save
All these commands for iptables from here
Thank you.