iptables-restore

Restore the iptables configuration from a file

$ sudo iptables-restore [path/to/file]

iptables-restore [-c|--counters] [-n|--noflush] [-v|--verbose] [-t <table_name>|--table <table_name>] [-f <file>|--file <file>] [--test] [-w|--wait [<seconds>]] [--wait-interval <microseconds>] [--modprobe=<command>] [< file]

-c, --counters
    Restore the packet and byte counter values for each rule. Without this option, counters are reset to zero.

-n, --noflush
    Do not flush (clear) the existing rules of the selected table(s) before loading the new rules. Rules are appended rather than replacing existing ones entirely. Use with caution as this can lead to duplicate rules.

-v, --verbose
    Print verbose output, showing the progress and details of the rule restoration process.

-t <table_name>, --table <table_name>
    Restore only the specified table (e.g., filter, nat, mangle, raw, security). If omitted, all tables found in the input will be processed.

-f <file>, --file <file>
    Read the rules from the specified file instead of standard input. This is an alternative to piping the file content.

--test
    Parse and validate the input, but do not actually load any rules into the kernel. Useful for checking the syntax of a rule file.

-w, --wait [<seconds>]
    Wait for the xtables exclusive lock. If a seconds value is specified, it will wait for that many seconds. If the lock is not obtained within the specified time, the command exits with an error. This prevents conflicts when multiple iptables commands run concurrently.

--wait-interval <microseconds>
    Specify the interval (in microseconds) to wait for the xtables lock. Default is 100000 (0.1 seconds).

--modprobe=<command>
    Specify a command to use when loading kernel modules. This overrides the default module loading mechanism.

iptables-restore is a utility used to load IP (IPv4) firewall rules into the kernel's Netfilter tables. It reads rules in the format produced by iptables-save, typically from standard input or a specified file.

This command is crucial for persistently configuring firewalls, as it allows for the quick and atomic loading of complex rule sets. Unlike adding rules individually with iptables -A, iptables-restore loads all rules as a single transaction. This significantly reduces the window during which the firewall might be in an inconsistent or unprotected state.

It's commonly invoked during system boot to apply a previously saved firewall configuration. The input file contains sections for each table (e.g., filter, nat, mangle, raw, security), along with chain definitions and rule specifications. If no specific table is selected, all tables found in the input are processed.

Requires root privileges to execute.
The input file must be in the exact format generated by iptables-save. Malformed input will cause the command to fail.
By default (without -n), all existing rules for the specified table(s) are flushed before new ones are loaded, which can briefly expose the system.
This command is specifically for IPv4 firewall rules. For IPv6, use ip6tables-restore.
Does not manage IP sets directly; ipset-restore is used for that purpose.

A key feature of iptables-restore is its ability to load all rules as a single, atomic transaction. This means the entire configuration is loaded at once, minimizing the time during which the firewall might be in an inconsistent or unprotected state, which is a common concern when applying rules sequentially.

The command can read rules from either standard input (e.g., via a pipe cat file | iptables-restore or redirection iptables-restore < file) or directly from a specified file using the -f option. This flexibility allows for various scripting and automation scenarios.

If iptables-restore encounters a syntax error or an invalid rule specification in the input file, it typically aborts the entire restoration process. This prevents the loading of a partial or malformed rule set, which could leave the system insecure. Users should validate their iptables-save output before attempting restoration.

iptables-restore is an integral part of the Netfilter project, which provides stateful packet filtering, NAT, and other packet manipulation facilities in the Linux kernel. It emerged with the introduction of iptables in the Linux kernel 2.4 series, succeeding older firewalling tools like ipfwadm and ipchains.

Its development was driven by the need for a more efficient and reliable method to load complex firewall configurations compared to adding rules one by one. The atomic loading capability provided by iptables-restore was a significant improvement, ensuring transactional updates to the firewall state and minimizing security vulnerabilities during configuration changes.

iptables(8), iptables-save(8), ip6tables(8), ip6tables-restore(8), netfilter(7)