DEV Community

vast cow
vast cow

Posted on

Safely Backing Up and Restoring iptables and ip6tables Rules on Linux

#security #linux #networking #tutorial

When experimenting with firewall rules, it is essential to have a reliable way to revert to a known-good configuration. This article explains how to save the current iptables / ip6tables state, apply temporary changes, and restore the original rules if needed.

All commands shown below must be executed with root privileges.

1. Backing Up the Current Firewall Rules

The most reliable way to back up firewall rules is to use iptables-save and ip6tables-save. These commands dump the entire ruleset in a format suitable for restoration.

IPv4 

iptables-save > /root/iptables.bak
Enter fullscreen mode Exit fullscreen mode

IPv6 

ip6tables-save > /root/ip6tables.bak
Enter fullscreen mode Exit fullscreen mode

Optionally, you can include a timestamp for traceability:

iptables-save  > /root/iptables.bak.$(date +%F_%H%M%S)
ip6tables-save > /root/ip6tables.bak.$(date +%F_%H%M%S)
Enter fullscreen mode Exit fullscreen mode

2. Applying Temporary Changes

Once the backup is complete, you can safely experiment with firewall rules.

Example: temporarily allow SSH traffic (TCP port 22) at the top of the INPUT chain.

iptables  -I INPUT 1 -p tcp --dport 22 -j ACCEPT
ip6tables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
Enter fullscreen mode Exit fullscreen mode

Verify the current ruleset:

iptables  -S
ip6tables -S
Enter fullscreen mode Exit fullscreen mode

Tip:
When working over SSH, always start with non-disruptive changes (such as adding ACCEPT or LOG rules) to avoid locking yourself out.

3. Restoring the Original Rules

If the changes do not behave as expected, you can restore the original configuration instantly using iptables-restore and ip6tables-restore.

iptables-restore  < /root/iptables.bak
ip6tables-restore < /root/ip6tables.bak
Enter fullscreen mode Exit fullscreen mode

Confirm that the rules have been restored:

iptables-save
ip6tables-save
Enter fullscreen mode Exit fullscreen mode

4. Important Notes and Caveats

  • iptables-nft backend
    On modern distributions, iptables may be backed by nftables (iptables-nft). The save/restore commands still work correctly and will update the nftables ruleset internally.

  • Firewall management services
    If services such as firewalld or ufw are running, they may automatically overwrite manual changes.
    Check their status before testing:

  systemctl is-active firewalld
  systemctl is-active ufw
Enter fullscreen mode Exit fullscreen mode
  • Fail-safe recovery For remote systems, consider scheduling an automatic rollback (e.g., via at or systemd-run) before applying risky rules. This ensures recovery even if network access is lost.

Conclusion

By using iptables-save and iptables-restore (and their IPv6 equivalents), you can safely experiment with firewall rules and always return to a stable baseline. This workflow is simple, fast, and highly recommended for both testing and troubleshooting scenarios.

Top comments (0)