how to load iptables configuration on boot?

Hi there!

I have a question regarding loading iptables configuration at boot.

I have made some changes to the iptables on my suse 10.3, and I’m trying to have those changes reloaded automatically every time I reboot.

So what I did was that I saved the changes to a file called iptables.1 and then I put this command in /etc/rc.d/boot.local

iptables-restore -c < /etc/sysconfig/iptables.1

But after the restart when I type this command:

iptables -L INPUT

I should see the changes I’ve made to iptables, but they don’t seem to have loaded.

I tried putting these two lines in /etc/rc.d/boot.local:

iptables-restore -c < /etc/sysconfig/iptables.1
iptables -L INPUT

And during the bootup I can see the output from iptables -L INPUT, and it shows that the changes that I made to iptables are restored. But for some reason iptables seems to load some default configuration sometime during the boot, and after that I use the iptables-restore command.

Now I tried making a script and putting it in /etc./rc.d/, then enabling it in “system services(runlevel)” in yeast, set to run on runlevel 5. This had no effect and iptables just loaded some default settings again.

Anyone know how I can properly save and reload the iptables configuration on each reboot? Or even how I can overwrite the default settings which it seems to load everytime?

p.s. my first post here, so hi there folks! :wink:

Frímann Kjerúlf

Probably your changes are being overwritten by SuSEfirewall2 which is started later. You should try to work within that firewall framework, or disable it.

have you tried guarddog ?

its available in the network utilities repository.

it should be easier to configure a profile with that.

I’m planning to use SSHBLOCK or SSHDFILTER to automatically block ip’s that are hammering my ssh port trying to bruteforce their way in (by guessing the username/password).

I believe that both these programs use iptables to block the ip.

I’m wondering, would it be safe to turn off the firewall? I’m running a home network where I trust all my users. The only ports that are forewarded to the outside are port 22 and port 80. Sounds to me that the firewall isn’t serving any purpose?


You can avoid such hits by moving the ssh port to some other value. This can be done with the portforwarding rule at your perimeter firewall so that you can continue to use port 22 on your LAN. Even better still if you can switch to public key authentication but this requires you to have the public key whenever you want to connect from the outside.

You’re probably ok to use the perimeter firewall only. Just keep an eye on the webserver for app weaknesses.


There is an option in the /etc/sysconfig/SuSEfirewall2 (FW_CUSTOMRULES) which allows you to specify a file which contains custom firewall rules. it is recommend to edit /etc/sysconfig/scripts/SuSEfirewall2-custom and add your custom rules there.

As an alternative to the mentioned methods above (public key authentication, use a different port) you can use port knocking but maybe this makes the use in the local network more uncomfortable :wink:

  • write bash scirpt with your iptables rules
    (don’t forget to add rules for lo interface),
  • cp <yourscriptname> /etc/init.d,
  • inssrv <yourscriptname>.

chkconfig --list | grep <yourscriptname>

I just spent a day try to get openSUSE11.0 to load some custom iptables settings in conjunction with the SUSEfirewall at boot. I’ve got it working now so I thought I’d share:

  1. forget about trying to set up a script to run like a service with chkconfig. It just won’t work (even with S99!). I suspect the firewall flushes the settings later, after these rc.d scripts are executed, it’s not clear how or why the settings get ignored but trust me - they will be ignored.

  2. You’ll need to edit /etc/sysconfig/scripts/SuSEfirewall2-custom. Put the custom iptables commands where appropriate, details are given in the file itself. Do read what is in the file because there is no man page for this.

  3. Edit






What I wanted this for was to get postfix to listen on another port as well as 25. Fiddling with postfix itself can produce an open relay and so is not advised. A more elegant solution is to use iptables with the following command:

iptables -t nat -A PREROUTING -p tcp --dport 1025 -j REDIRECT --to-ports 25

The three steps above show how I got the custom port mapping rule to auto load at boot. If you don’t follow the steps then the settings are lost on reboot - a common complaint.

Matteus Blanc

I actually did manage to restrict login attempts here, and described it a little bit here.

It is a little disjointed but contains the fundamentals. Perhaps this will help someone. Do think something like this should be in the wiki. Also needs updating but I suspect little has really changed.

How To Add Additional Ip Rules To Suse Firewall - openSUSE Forums