Introduction
When migrating from one server to another, it is often desirable to migrate the iptables firewall rules as part of the process. This tutorial will show you how to easily copy your active iptables rule set from one server to another.Prerequisites
This tutorial requires two servers. We will refer to the source server, which has the existing iptables rules, as Server A. The destination server, where the rules will be migrated to, will be referred to as Server B.You will also need to have superuser, or
sudo
, access to both servers.View Existing Iptables Rules
Before migrating your iptables rules, let's see what they are set to. You can do that with this command on Server A:
- sudo iptables -S
Example output:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 15.15.15.51/32 -j DROP
The example rules above will be used to demonstrate the firewall migration process.Export Iptables Rules
Theiptables-save
command writes the current iptables rules to stdout
(standard out). This gives us an easy way to export the firewall rules to file, by redirecting stdout
to a file.On the Server A, the one with the iptables rules that you want to migrate, use the
iptables-save
to export the current rules to a file named "iptables-export" like this:
- cd ~
- sudo iptables-save > iptables-export
This will create the iptables-export
file, in your home directory. This file can be used on a different server to load the firewall rules into iptables.View File Contents (Optional)
Let's take a quick look at the file's contents. We'll use thecat
command to print it out to the terminal:
- cat iptables-export
iptables-export contents:
# Generated by iptables-save v1.4.21 on Tue Sep 1 17:32:29 2015
*filter
:INPUT ACCEPT [135:10578]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8364:1557108]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 15.15.15.51/32 -j DROP
COMMIT
# Completed on Tue Sep 1 17:32:29 2015
As you can see, the file contains the configuration of the active
iptables rules. Now we're ready to copy this file to our destination
server, Server B.Copy Exported Rules to Destination Server
We need to copy the rules file to our destination server, Server B. The easiest way to do this is to usescp
or to copy and paste the file contents to a new file on Server B. We will demonstrate how to use scp
to copy the file over the network to the /tmp
directory. On Server A, run this
scp
command. Be sure to substitute the highlighted parts with your server's login and IP address:
- scp iptables-export user@server_b_ip_address:/tmp
After providing proper authentication, the file will be copied to the /tmp
directory on Server B. Note that the contents of /tmp
are deleted upon a reboot—feel free to place it somewhere else if you want to preserve it.Import Iptables Rules
With the exported rules on the destination server, you can load them into iptables. However, depending on your situation, you may want update the rules in the file with new IP addresses and ranges, and perhaps update interface names. If you want to change the rules before loading them, be sure to edit the/tmp/iptables-export
file now.Once you are ready to load the rules from the
iptables-export
file into iptables, let's use the iptables-restore
command to do so.On Server B, the destination server, run this command to load the firewall rules:
- sudo iptables-restore < /tmp/iptables-export
This will load the rules into iptables. You can verify this with the sudo iptables -S
command.Save Rules
Iptables rules are ephemeral, so special care must be taken for them to persist after a reboot—it is likely that you will want to perform this step on Server B. We will show you how to save the rules on both Ubuntu and CentOS.Ubuntu
On Ubuntu, the easiest way to save iptables rules, so they will survive a reboot, is to use the iptables-persistent package. Install it with apt-get like this:
- sudo apt-get install iptables-persistent
During the installation, you will asked if you want to save your current firewall rules. Response yes
, if you want to save the current rule set.If you update your firewall rules in the future, and want to save the changes, run this command:
- sudo invoke-rc.d iptables-persistent save
CentOS 6 and Older
On CentOS 6 and older—CentOS 7 uses FirewallD by default—you can use the iptables init script to save your iptables rules:
- sudo service iptables save
This will save your current iptables rules to the /etc/sysconfig/iptables
file, which gets loaded by iptables upon boot.
0 comments:
Post a Comment