ip6tables-save

View documentation for the original command

$ tldr iptables-save

ip6tables-save [-c|--counters] [-t table|--table table] [-f file|--file file]

-c, --counters
    Includes the current values of packet and byte counters for each rule in the output. This can be useful for debugging, auditing, or monitoring traffic flow through specific firewall rules.

-t table, --table table
    Specifies which Netfilter table to dump. If this option is omitted, ip6tables-save will dump rules from all available tables. Common tables include filter (default firewalling), nat (Network Address Translation), mangle (packet alteration), raw (connection tracking exceptions), and security (SELinux integration).

-f file, --file file
    Writes the output directly to the specified file instead of standard output (stdout). While functionally equivalent to shell redirection (e.g., ip6tables-save > file), this option is provided for convenience.

ip6tables-save is a utility used to dump the current IPv6 firewall rules from the Linux kernel's Netfilter tables to standard output. These rules are crucial for network security, defining how incoming and outgoing IPv6 traffic is processed. The command effectively creates a textual representation of the active firewall state, including all chains and rules within them. The output is specifically formatted to be directly compatible with the ip6tables-restore command, making it an indispensable tool for system administrators. It is commonly used for backing up existing firewall configurations, migrating rules between different Linux systems, or setting up persistent firewall rules that load automatically upon system boot, ensuring that your IPv6 network remains secured after a reboot.

ip6tables-save typically requires root privileges to access and read the kernel's Netfilter tables, otherwise it may report permission errors or no rules.
The output format is highly specific and optimized for consumption by ip6tables-restore. Manual editing of the saved file is possible but requires a deep understanding of ip6tables rule syntax and Netfilter table structure; incorrect modifications can lead to parsing errors or firewall misconfigurations.
The command only saves the active rules; it does not manage or save related kernel modules, network interfaces, or other system configurations that might be necessary for the rules to function correctly. These must be managed separately.

A very common usage pattern for ip6tables-save is to save the current rules to a file to ensure persistence across system reboots. For example: sudo ip6tables-save > /etc/ip6tables/rules.v6. Subsequently, a system service (such as those provided by the netfilter-persistent package or a custom systemd unit) can be configured to load these saved rules automatically at boot time using ip6tables-restore.

The output file generated by ip6tables-save follows a specific, structured format. It begins with a line like *table_name for each table (e.g., *filter, *nat), followed by definitions of user-defined chains (e.g., :CHAIN_NAME POLICY [PACKETS:BYTES]) and then the rules themselves (e.g., -A CHAIN_NAME -i eth0 -j ACCEPT). Each table section concludes with a COMMIT line, which signals ip6tables-restore to apply all the preceding rules for that specific table atomically. This structured format ensures reliable and efficient loading of firewall rules.

ip6tables-save is an integral component of the Netfilter project, which provides the advanced packet filtering and NAT framework within the Linux kernel. It was developed as the IPv6 counterpart to the established iptables-save utility, responding to the growing adoption of IPv6 and the need for consistent firewall management across IP versions. Its introduction was crucial for enabling system administrators to persist and reproduce IPv6 firewall configurations reliably, making it a fundamental tool for maintaining robust network security policies on Linux systems since its inception as part of the ip6tables suite.

ip6tables(8), ip6tables-restore(8), iptables(8), iptables-save(8), netfilter(7), systemctl(1)