iptables save

When I was working with our sysadmin person, he freaked out that when we stop/restarted iptables service, and the iptables were gone.  The iptables rules are lost upon shutdown on iptbles service or after system reboot.
 
What I usually do is save off my iptables rules into a save file as follows:
# iptables-save > $HOME/iptables.savefile
This command is essentially a print of current iptables rules to stdout.
[root@server ~]# iptables-save > iptables.dump
[root@server ~]# less iptables.dump

# Generated by iptables-save v1.4.7 on Fri Jul 22 20:24:22 2016
*filter
:INPUT ACCEPT [348542:44953290]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9496643:512690291]
-A INPUT -i ib1 -p tcp -m tcp –dport 5042 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 5042 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 3260 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 3260 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 443 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 204.70.128.1/32 -i ib1 -p udp -m udp –sport 123 -j ACCEPT
-A INPUT -s 10.13.34.32/32 -i ib1 -p tcp -m tcp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.32/32 -i ib1 -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.31/32 -i ib1 -p tcp -m tcp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.31/32 -i ib1 -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 1024:65535 –tcp-flags FIN,SYN,RST,ACK SYN -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib1 -p tcp -m tcp –dport 1024:65535 -j ACCEPT
-A INPUT -i ib1 -p tcp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib1 -p udp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib0 -p tcp -m tcp –dport 5042 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 5042 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 3260 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 3260 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 443 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 204.70.128.1/32 -i ib0 -p udp -m udp –sport 123 -j ACCEPT
-A INPUT -s 10.13.34.32/32 -i ib0 -p tcp -m tcp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.32/32 -i ib0 -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.31/32 -i ib0 -p tcp -m tcp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.31/32 -i ib0 -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 1024:65535 –tcp-flags FIN,SYN,RST,ACK SYN -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib0 -p tcp -m tcp –dport 1024:65535 -j ACCEPT
-A INPUT -i ib0 -p tcp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib0 -p udp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -s 10.43.48.107/32 -i eth0 -p udp -m udp –dport 162 -j ACCEPT
….
COMMIT
# Completed on Fri Jul 22 20:24:22 2016
We can then execute iptables-restore, copy in or restore a dump of rules made by iptables-save.  
[root@server ~]# iptables-restore < iptables.dump
[root@server ~]# iptables -L

# Generated by iptables-save v1.4.7 on Fri Jul 22 20:24:22 2016
*filter
:INPUT ACCEPT [348542:44953290]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9496643:512690291]
-A INPUT -i ib1 -p tcp -m tcp –dport 5042 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 5042 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 3260 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 3260 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 443 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 204.70.128.1/32 -i ib1 -p udp -m udp –sport 123 -j ACCEPT
-A INPUT -s 10.13.34.32/32 -i ib1 -p tcp -m tcp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.32/32 -i ib1 -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.31/32 -i ib1 -p tcp -m tcp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.31/32 -i ib1 -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -i ib1 -p tcp -m tcp –dport 1024:65535 –tcp-flags FIN,SYN,RST,ACK SYN -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib1 -p tcp -m tcp –dport 1024:65535 -j ACCEPT
-A INPUT -i ib1 -p tcp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib1 -p udp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib0 -p tcp -m tcp –dport 5042 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 5042 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 3260 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 3260 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 443 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 204.70.128.1/32 -i ib0 -p udp -m udp –sport 123 -j ACCEPT
-A INPUT -s 10.13.34.32/32 -i ib0 -p tcp -m tcp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.32/32 -i ib0 -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.31/32 -i ib0 -p tcp -m tcp –sport 53 -j ACCEPT
-A INPUT -s 10.13.34.31/32 -i ib0 -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -i ib0 -p tcp -m tcp –dport 1024:65535 –tcp-flags FIN,SYN,RST,ACK SYN -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib0 -p tcp -m tcp –dport 1024:65535 -j ACCEPT
-A INPUT -i ib0 -p tcp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -i ib0 -p udp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -s 10.43.48.107/32 -i eth0 -p udp -m udp –dport 162 -j ACCEPT
….
COMMIT
# Completed on Fri Jul 22 20:24:22 2016
Once imported back-in, simply run service iptables reload
 
 
As stated above, RHEL/OEL default configuration, when stopping or restarting the iptables service, discards the running configuration. Setting the IPTABLES_SAVE_ON_STOP=”yes” or IPTABLES_SAVE_ON_RESTART=”yes” in /etc/sysconfig/iptables-config, will prevent that discard. 
 
 
You can also do service iptables save, to save into /etc/sysconfig/iptables