iptables restart tip - How to make your Linux iptables firewall automatically restart after a reboot

iptables restart FAQ: How do I make my iptables firewall start/restart after I reboot my Linux system?

I was going to write a tutorial about configuring a firewall on a Linux system using iptables, but then I found this great CentOS iptables tutorial, and I think they really nailed it.

The only thing I think they didn't fully cover is how you get your Linux iptables firewall to start up again properly after your Linux system is rebooted (which is kind of a huge deal). To that end, I thought I'd describe the process of getting your iptables firewall to restart after a system reboot.

And -- as an added bonus -- this same process will help you get any Linux service to automatically start after a reboot.

iptables firewall restart - assumptions

This iptables firewall tutorial makes several assumptions:

  1. You've already run your desired Linux iptables command, as shown in the linked page above.
  2. You have an iptables script in the /etc/rc.d/init.d directory.
  3. That iptables script is executable.

On my CentOS Linux server, the iptables script in the /etc/rc.d/init.d directory came with the initial operating installation, but I don't know how other Linux distributions may work.

iptables restart - how to see if iptables is set to automatically start

Following those assumptions, the first step in our process is to see if this iptables script is already set to automatically start when your system is rebooted. If it is, there's nothing else you'll have to do (except configure your firewall, of course).

You can check to see if the iptables script is already configured to automatically start by running this Linux chkconfig command:

chkconfig --list iptables

If your iptables firewall script is configured to restart properly, the chkconfig command output should look like this:

iptables   0:off  1:off  2:on  3:on  4:on  5:on  6:off

The most important values are the on values for the run levels 2, 3, 4, and 5. If your values are "on" as shown, and you followed the instructions in the article I linked to above, congratulations, your firewall should start up automatically after a reboot. Of course you need to test this, but at this point, things look fine.

However, if all your values are "off", iptables will not automatically start up after a reboot, and you should keep reading this article.

Automatically start your Linux firewall after a reboot

Assuming all of your values are off, you need to turn them "on" to get iptables running after a reboot. You turn these values on by running the following two chkconfig commands.

First, run the chkconfig --add command like this:

chkconfig --add iptables

As the chkconfig man page states, this option "adds a new service for management by chkconfig. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel."

Next, you tell your Linux system that the iptables script should be run when the system gets to run levels 2 through 5 by issuing this chkconfig command:

chkconfig --level 2345 iptables on

Again, this command tells your Linux system that you want the iptables script to be run whenever the system goes into one of these runlevels. It is similar to you typing in this command manually every time your server starts up:

service iptables start

except that it's run automatically for you.

Now, if you'll run the chkconfig --list command again:

chkconfig --list iptables

your output should now look like this:

iptables   0:off  1:off  2:on  3:on  4:on  5:on  6:off

This is what you want to see, the on values in the runlevels two through five.

Linux iptables firewall - Viewing your iptables firewall settings after a reboot

Assuming that you configured your iptables firewall properly, you should now be ready to reboot your system. When you log in after the reboot and check your iptables firewall with a command like this:

iptables -L -v

you should see the expected output. (This output here will be different for different firewall configurations, so I'm not showing any output here.)

You can also run this command again to make sure you still see the same "on" results:

chkconfig --list iptables

Linux chkconfig command reference

As a quick point of reference, if you type chkconfig --help, you should see the following output:

# chkconfig --help

chkconfig version - Copyright (C) 1997-2000 Red Hat, Inc.
This may be freely redistributed under the terms of the GNU Public License.

usage:   chkconfig --list [name]
         chkconfig --add <name>
         chkconfig --del <name>
         chkconfig [--level <levels>] <name> <on|off|reset|resetpriorities>

This shows the Linux chkconfig command arguments that are available, including the --list, --add, and --level arguments shown in this tutorial.

You can also refer to the CentOS Linux chkconfig man page on our server.

Linux version information

This article was tested with a CentOS "Linux version 2.6.18-53.el5" server. You can check your version with the following command:

cat /proc/version