Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 882
  • Last Modified:

How to create persistent iptables rule to allow ssh to a specified address on Ubuntu 12.04?

Greetings,

I am working iptables on Ubuntu 12.04. I would like to configure the iptables rules so that ssh is only allowed from one specific address.  When I enter the following, it works:

sudo iptables -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT

With that rule in place I can establish an ssh connectin from the specified address.

Now I want to make the rule persistent, so that it still works after a reboot. I add this line to the /etc/rc.local file:

/sbin/iptables -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT


Then I reboot and it does not work. Can anyone tell me why this does not work and what  I must do to make the rule persistent?
0
bradber
Asked:
bradber
2 Solutions
 
dec0mpileCommented:
You need to have a package called iptables-persistent to accomplish this.

AFTER you add the rule that works:
sudo iptables -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT


Install the package: sudo apt-get install iptables-persistent
Start the service: sudo service iptables-persistent start

And now the iptables will remain intact after reboot.
0
 
comfortjeaniusCommented:
During installation of the iptables-persistent, you will prompted whether you want to save current iptables rules or not.

This package will make Ubuntu’s iptables rules persistent by storing iptables rules in:

   
/etc/iptables/rules.v4 for IPv4 rules
   
/etc/iptables/rules.v6 for IPv6 rules

Any of those rules will be reloaded to current iptables rules during restart. You can save your current iptables rules manually by using the following command:

iptables-save > /etc/iptables/rules.v4

Open in new window


or

iptables-save > /etc/iptables/rules.v6

Open in new window

0
 
bradberAuthor Commented:
Thanks to both of you for your helpful comments. I ended up solving the problem by using the same ACCEPT rule that I originally tried, but moving it to the top of the rc.local file.

However, I think the iptables-persistent package looks useful and plan to explore that option in the future. Your help is appreciated!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now