19 Oct: Persistent iptables on Debian

Persistent iptables on Debian works a little differently to on RHEL. RHEL has a file /etc/sysconfig/iptables and an init script (iptables-restore) to load those rules at boot time. Debian instead has an additional package iptables-persistent which will restore rules held at /etc/iptables/rules.v4 at boot time via the systemd unit "iptables-persistent". In either circumstance, if you update the running ruleset (add, insert, delete rules) you'll need to run iptables-save outputting to the correct location to preserve the rules on next boot. Both OSs have helpers for this:
service iptables save
netfilter-persistent save
This solves ensuring the rules are persistent across reboots. Its also worth noting how iptables updates the in-kernel ruleset. For example consider this command to insert a new rule:
iptables -t filter -I INPUT 1 -s -j DROP
You might think that this would just add this rule to the running ruleset, however behind the scenes, this happens:
  1. Get the full existing ruleset from the kernel (all tables)
  2. In userspace, edit the ruleset to add this rule into the appropriate table
  3. Save the resulting ruleset back to the kernel
With a small ruleset, or with few changes this is no problem. If the ruleset is very complex, and if it is updated very often, for example automatically (c.f. fail2ban), then the overheard of updating rules can be a factor. If you already have the ruleset saved to disk, it is faster to edit that and restore from there using iptables-restore (or the helper service) as step 1 and 2 are no longer needed. The next step along the road is the replacement for iptables, nftables, which fixes this design and provides a bunch of other stuff. We'll leave that for another day!
© 2017