Practical steps to persist and recover firewall rules using iptables-save and iptables-restore. 16.11.2025 | reading time: 3 min Why recreate firewall rules by hand after a reboot when you can save and restore them reliably; this short guide shows the commands and a real example so the saved file becomes your single source of truth. Live example you can run Create a minimal ruleset, inspect it, save it, flush and restore it to prove persistence; run these commands exactly as shown to follow along. ```bash sudo iptables -P INPUT DROP sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -L -n --line-numbers ```Example output (illustrative): ```text Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED,RELATED ```Save and restore: ```bash sudo iptables-save > /etc/iptables/rules.v4 sudo iptables -F sudo iptables-restore < /etc/iptables/rules.v4 ``` Key caveats and useful options Remember that `iptables-save` emits a plaintext snapshot in a format `iptables-restore` expects, that IPv6 uses `ip6tables-save`/`ip6tables-restore`, and that restoring is atomic so you can pipe files or services into `iptables-restore` safely; also consider file location, permissions and hooking restoration into systemd or the distribution's init scripts so rules survive reboots. When and where to apply this Use save/restore for reproducible lab images, rapid recovery after mistakes, emergency rollback during upgrades and automated deployments; for NAT rules, ensure you saved the correct table (the save output covers all tables unless filtered) and test in a maintenance window because rule order affects behavior. Other tools you will meet Higher-level managers and successors change the workflow: on many distributions `iptables-persistent` or a systemd unit will load saved files, `ufw` and `firewalld` manage rules with their own persistence, and `nftables` is the modern replacement that can import iptables rules in some setups. Wrap-up and next step Saving and restoring iptables rules is a small habit that avoids downtime and manual drift; practice the commands, automate the restore on boot, then explore migration paths to nftables for longer-term maintenance, and consider formalizing knowledge with exams like CompTIA Linux+ or LPIC-1 using intensive preparation such as bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. network security backup scripting utilities
