ip6tables-save

View documentation for the original command

$ tldr iptables-save

ip6tables-save [-c] [-x] [-f filename]

-c, --counters
    Include packet and byte counters in the output

-x, --exact
    Expand numbers to exact values (not human-readable)

-f filename, --file filename
    Write rules to filename instead of stdout

ip6tables-save is a command-line utility used to dump the current IPv6 firewall ruleset from the Linux kernel's netfilter tables to standard output or a specified file. It captures rules from all chains in the filter, nat, mangle, raw, and security tables, producing output in a format compatible with ip6tables-restore for easy backup and restoration.

This tool is crucial for system administrators managing IPv6 firewalls, enabling persistent configuration across reboots. By default, it excludes packet and byte counters to produce compact output. The saved rules include chain policies, user-defined chains, and detailed match/target specifications, preserving the exact state of the firewall.

Typically invoked with superuser privileges, it integrates seamlessly with init scripts or systemd services for automated rule loading. Output is plain text, making it scriptable and version-control friendly. Note that rules are kernel-dependent, so compatibility requires matching iptables versions.

Requires root privileges.
Output may not be portable across kernel or iptables versions due to syntax changes.
Counters are reset on rule reload.

ip6tables-save > /etc/ip6tables.rules
ip6tables-restore < /etc/ip6tables.rules

Dumps all: filter, nat, mangle, raw, security

Developed as part of the netfilter project for IPv6 support in Linux kernel 2.6 (2003). Maintained by the iptables team; largely superseded by nftables in modern distributions since kernel 3.13.

ip6tables-restore(8), ip6tables(8), iptables-save(8), nft(8)