Skip to content

Instantly share code, notes, and snippets.

@aont

aont/0 Safely Backing Up and Restoring iptables and ip6tables Rules on Linux.md

Created January 5, 2026 03:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aont/33257f88b6ce590cbea37c9735f0e559 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aont/33257f88b6ce590cbea37c9735f0e559 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
0 Safely Backing Up and Restoring iptables and ip6tables Rules on Linux.md

Safely Backing Up and Restoring iptables and ip6tables Rules on Linux

When experimenting with firewall rules, it is essential to have a reliable way to revert to a known-good configuration. This article explains how to save the current iptables / ip6tables state, apply temporary changes, and restore the original rules if needed.

All commands shown below must be executed with root privileges.

1. Backing Up the Current Firewall Rules

The most reliable way to back up firewall rules is to use iptables-save and ip6tables-save. These commands dump the entire ruleset in a format suitable for restoration.

IPv4

iptables-save > /root/iptables.bak

IPv6

ip6tables-save > /root/ip6tables.bak

Optionally, you can include a timestamp for traceability:

iptables-save  > /root/iptables.bak.$(date +%F_%H%M%S)
ip6tables-save > /root/ip6tables.bak.$(date +%F_%H%M%S)

2. Applying Temporary Changes

Once the backup is complete, you can safely experiment with firewall rules.

Example: temporarily allow SSH traffic (TCP port 22) at the top of the INPUT chain.

iptables  -I INPUT 1 -p tcp --dport 22 -j ACCEPT
ip6tables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

Verify the current ruleset:

iptables  -S
ip6tables -S

Tip: When working over SSH, always start with non-disruptive changes (such as adding ACCEPT or LOG rules) to avoid locking yourself out.

3. Restoring the Original Rules

If the changes do not behave as expected, you can restore the original configuration instantly using iptables-restore and ip6tables-restore.

iptables-restore  < /root/iptables.bak
ip6tables-restore < /root/ip6tables.bak

Confirm that the rules have been restored:

iptables-save
ip6tables-save

4. Important Notes and Caveats

  • iptables-nft backend On modern distributions, iptables may be backed by nftables (iptables-nft). The save/restore commands still work correctly and will update the nftables ruleset internally.

  • Firewall management services If services such as firewalld or ufw are running, they may automatically overwrite manual changes. Check their status before testing:

    systemctl is-active firewalld
systemctl is-active ufw

  • Fail-safe recovery For remote systems, consider scheduling an automatic rollback (e.g., via at or systemd-run) before applying risky rules. This ensures recovery even if network access is lost.

Conclusion

By using iptables-save and iptables-restore (and their IPv6 equivalents), you can safely experiment with firewall rules and always return to a stable baseline. This workflow is simple, fast, and highly recommended for both testing and troubleshooting scenarios.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment