iptables-restore

Restore the iptables configuration from a file

$ sudo iptables-restore [path/to/file]

iptables-restore [-c] [-h] [-n] [-v] [-w[seconds]] [-t table] [file]

-c, --counters
    restore the values of all counters

-h, --help
    print this help message

-n, --noflush
    don't flush the previous contents of the table

-t, --table name
    restore only the specified table (filter, nat, mangle, raw, security)

-v, --verbose
    verbose output

-w, --wait [seconds]
    maximum time to wait for iptables lock (0 to wait forever)

--version
    print version information

The iptables-restore command restores IPv4 packet filtering and NAT rules from a dump file generated by iptables-save. It reads input from a file or standard input, parsing rules in a specific format and applying them to the kernel's netfilter tables. This utility is essential for quickly loading complex firewall configurations, such as during system boot via init scripts or service managers like systemd.

Unlike iptables, which adds rules one by one, iptables-restore processes the entire ruleset atomically, minimizing disruption. It supports counters, ensuring exact replication including packet/byte statistics. By default, it flushes existing rules per table before loading, but options allow selective restoration.

Common use cases include backing up current rules with iptables-save and restoring them later, testing rule changes offline, or automating firewall management. It requires root privileges and interacts directly with the iptables kernel modules. For IPv6, use ip6tables-restore. Always verify input files to avoid locking yourself out of a system.

Requires root privileges. Incorrect rules can disrupt network access. Input must match exact iptables-save format or parsing fails. Not atomic across tables; use with care on live systems. Deprecated in favor of nftables in modern distributions.

Expects lines like *filter for table start, :INPUT ACCEPT [0:0] for chains, -A INPUT -s 192.168.0.0/16 -j DROP for rules, COMMIT to apply. Ends with COMMIT blocks.

iptables-save > /etc/iptables.rules
iptables-restore < /etc/iptables.rules
iptables-restore -c -t filter /backup.rules

Developed as part of the netfilter project starting in 1999 by Rusty Russell and others. Replaced ipchains; widely used until nftables introduction in Linux 3.13 (2014). Maintained in iptables 1.4+ with enhancements like wait option in 1.4.21.

iptables(8), iptables-save(8), ip6tables-restore(8), nft(8)