iptables rules are not saved across reboots

How do I get this fixed. Would supplying a sysV script to save/load iptables rules help ?

We generally prefer upstart over sysvinit.

You would probably need to cache the rules somewhere in /var/lib on
shutdown, and load them from /var/lib on startup.

Please see Debian bug 434107 for a reason why iptables init scripts have been removed (and no longer accepted) from the iptables package. Based on the reasons (which I haven't reviewed) it may better to mark this bug as won't fix in Ubuntu as well.

@Mathias, it seems Debian are routinely rejecting iptables restore scripts for some reason. Unfortunately the bug you mentioned doesn't really explain why, the guy on that bug was having trouble finding out exactly why it is being rejected as well

@kirkland, Thanks for the guidelines, definitely helpful

I don't know how much is it acceptable considering the different goals for Ubuntu to "differ" from Debian, but coming from a redhat background, saving/restoring iptables rules upon server boot is extremely customary. I couldn't believe that there really is no official way to get this done.

So my question now is, if I contribute an upstart job to save/load iptables rules, would it be accepted

I recommend talking to jdstrand.

I believe that such a hypothetical upstart script would perhaps belong in ufw.

ufw already has an upstart script and ufw is installed by default in Ubuntu as a Recommends of ubuntu-standard and therefore a part of all Ubuntu server installations. ufw can be used either via its cli command (man ufw), its framework (man ufw-framework) or a combination of both. People wanting to have a highly customized firewall can simply use /etc/ufw/*.rules and ignore the cli command completely (/etc/ufw/*rules use standard iptables-restore syntax and take care of all the heavy lifting of boot integration like making sure it is started before an interface comes up, etc, etc -- again, see 'man ufw-framework). Alternatively, there is shorewall which is also in main which may be better suited for a routing firewall depending on your needs.

As I recall, Debian used to provide this sort of script but it caused them a lot of grief. Their current view (I believe-- correct me if I'm wrong) is that iptables is intended to be a lowlevel tool only and it providing this sort of script a) gets in the way of other tools, like ufw, shorewall, firestarter, etc, and b) can not be flexible or robust enough for everyone's needs. Because I don't recall the full history (and others in this bug don't seem to either), I would be opposed to Ubuntu diverging from Debian on this point and potentially repeating history. People who want this functionality in iptables itself should work with Debian to find the best solution possible for Debian, Ubuntu and all their derivatives, after which we can sync with Debian.

Debian marked their bug as "Won't Fix" and we do not want to diverge from Debian on this point. Comment #6 explains in detail what users can do to apply rules across reboot.