Tutorial

How To Migrate Iptables Firewall Rules to a New Server

Published on September 2, 2015
How To Migrate Iptables Firewall Rules to a New Server

Introduction

When migrating from one server to another, it is often desirable to migrate the iptables firewall rules as part of the process. This tutorial will show you how to easily copy your active iptables rule set from one server to another.

Prerequisites

This tutorial requires two servers. We will refer to the source server, which has the existing iptables rules, as Server A. The destination server, where the rules will be migrated to, will be referred to as Server B.

You will also need to have superuser, or sudo, access to both servers.

View Existing Iptables Rules

Before migrating your iptables rules, let’s see what they are set to. You can do that with this command on Server A:

  1. sudo iptables -S
Example output:
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 15.15.15.51/32 -j DROP

The example rules above will be used to demonstrate the firewall migration process.

Export Iptables Rules

The iptables-save command writes the current iptables rules to stdout (standard out). This gives us an easy way to export the firewall rules to file, by redirecting stdout to a file.

On the Server A, the one with the iptables rules that you want to migrate, use the iptables-save to export the current rules to a file named “iptables-export” like this:

  1. cd ~
  2. sudo iptables-save > iptables-export

This will create the iptables-export file, in your home directory. This file can be used on a different server to load the firewall rules into iptables.

View File Contents (Optional)

Let’s take a quick look at the file’s contents. We’ll use the cat command to print it out to the terminal:

  1. cat iptables-export
iptables-export contents:
# Generated by iptables-save v1.4.21 on Tue Sep 1 17:32:29 2015 *filter :INPUT ACCEPT [135:10578] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [8364:1557108] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 15.15.15.51/32 -j DROP COMMIT # Completed on Tue Sep 1 17:32:29 2015

As you can see, the file contains the configuration of the active iptables rules. Now we’re ready to copy this file to our destination server, Server B.

Copy Exported Rules to Destination Server

We need to copy the rules file to our destination server, Server B. The easiest way to do this is to use scp or to copy and paste the file contents to a new file on Server B. We will demonstrate how to use scp to copy the file over the network to the /tmp directory.

On Server A, run this scp command. Be sure to substitute the highlighted parts with your server’s login and IP address:

  1. scp iptables-export user@server_b_ip_address:/tmp

After providing proper authentication, the file will be copied to the /tmp directory on Server B. Note that the contents of /tmp are deleted upon a reboot—feel free to place it somewhere else if you want to preserve it.

Import Iptables Rules

With the exported rules on the destination server, you can load them into iptables. However, depending on your situation, you may want update the rules in the file with new IP addresses and ranges, and perhaps update interface names. If you want to change the rules before loading them, be sure to edit the /tmp/iptables-export file now.

Once you are ready to load the rules from the iptables-export file into iptables, let’s use the iptables-restore command to do so.

On Server B, the destination server, run this command to load the firewall rules:

  1. sudo iptables-restore < /tmp/iptables-export

This will load the rules into iptables. You can verify this with the sudo iptables -S command.

Save Rules

Iptables rules are ephemeral, so special care must be taken for them to persist after a reboot—it is likely that you will want to perform this step on Server B. We will show you how to save the rules on both Ubuntu and CentOS.

Ubuntu

On Ubuntu, the easiest way to save iptables rules, so they will survive a reboot, is to use the iptables-persistent package. Install it with apt-get like this:

  1. sudo apt-get install iptables-persistent

During the installation, you will asked if you want to save your current firewall rules. Response yes, if you want to save the current rule set.

If you update your firewall rules in the future, and want to save the changes, run this command:

  1. sudo invoke-rc.d iptables-persistent save

CentOS 6 and Older

On CentOS 6 and older—CentOS 7 uses FirewallD by default—you can use the iptables init script to save your iptables rules:

  1. sudo service iptables save

This will save your current iptables rules to the /etc/sysconfig/iptables file, which gets loaded by iptables upon boot.

Conclusion

Congratulations! Your firewall rules have been migrated from your original server to your new one.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products


About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
3 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Hi Mitchell, this is a really great, crystal clear and ultra useful tutorial! Saving oceans of time and effort! Thanks a lot and keep up your superb work!

p.s. in case one needs to changes some things (e.g. interface names, etc) after migrating the iptables rules from one server to the other, just edit the saved iptables file before importing … yeahoo!

What will happen if I save iptables configuration on a droplet A, then make an image and later on I create a new droplet based on my image ?

Nice article.

But this won’t work in most of the cases. You may need to change the name of ethernet. i.e eth0, eth1 etc

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel