iptables-save

Print the iptables configuration

$ sudo iptables-save

$ sudo iptables-save [[-t|--table]] [table]

$ sudo iptables-save [[-f|--file]] [path/to/file]

iptables-save [-c] [-L] [-t table] [-f filename] [-V]

-c, --counters
    Includes the current values of packet and byte counters for each rule in the output. Useful for analyzing network traffic patterns or debugging.

-L, --linenumbers
    Adds line numbers to each rule in the output. This can help in identifying specific rules, especially when dealing with large or complex rule sets.

-t table, --table table
    Specifies which table's rules to save. If this option is omitted, rules from all standard tables (filter, nat, mangle, raw, security) are saved.

-f filename, --file filename
    Writes the output to the specified file instead of standard output (stdout). This is commonly used to create a backup file of the rules.

-V, --version
    Prints the version of the iptables-save program and exits.

The iptables-save command is used to extract and dump the current IPv4 firewall rules from the kernel's memory to standard output or a specified file. It generates a formatted output that is compatible with the iptables-restore command, making it essential for backing up, migrating, or restoring firewall configurations.

It reads the rule sets for all IPv4 tables (e.g., filter, nat, mangle, raw, security) or a specific table, and outputs them in a textual format that includes chain definitions, rules, and optional counters. This utility is a fundamental component of managing persistent iptables rules on Linux systems, as iptables rules are volatile and disappear on reboot unless saved and reloaded.

• IPv4 Only: iptables-save is specifically for IPv4 firewall rules. For IPv6 rules, use ip6tables-save.
• Root Privileges: This command requires root privileges to access and dump the kernel's firewall rules.
• Output Format: The output is designed to be parsed by iptables-restore. While human-readable, it follows a specific syntax that might not be immediately intuitive for manual editing.
• Volatile Rules: Rules saved by iptables-save are not automatically loaded on system boot. A mechanism (e.g., a service or script using iptables-restore) is required to load them persistently.

The output generated by iptables-save is a series of iptables commands and directives that can be directly fed into iptables-restore. It starts with a *table_name line for each table, followed by :CHAIN_NAME POLICY [packet_count:byte_count] lines defining chains and their default policies. Subsequent lines specify individual rules, resembling their iptables command-line counterparts (e.g., -A INPUT -p tcp --dport 22 -j ACCEPT). The output for each table concludes with a COMMIT line, signaling the end of rule definitions for that table. This structure ensures atomic loading of rules by iptables-restore.

A common use case is to back up your current firewall rules to a file:

sudo iptables-save > /etc/iptables/rules.v4

And to restore them from that file:

sudo iptables-restore < /etc/iptables/rules.v4

iptables-save is part of the Netfilter project, which provides the Linux kernel's packet filtering framework. It evolved from earlier tools like ipchains and ipfwadm as part of the transition to the more flexible and powerful Netfilter architecture around Linux kernel 2.4. Its primary purpose has always been to provide a reliable method for persisting kernel-resident firewall rules.

iptables(8), iptables-restore(8), ip6tables-save(8), ip6tables-restore(8), netfilter(7)