I have 6 OSSEC installations (5 agents + 1 server, all Debian 8) all configured to block repeated offenders using iptables from 10 minutes to 1 month.
I have the need to restart one or more of the servers from time to time. Every time the iptables rules added by OSSEC are removed. This happends also when restarting ossec (./ossec-control restart)
Is there a easy solution to keeping the rules, or will I have to modify the active response scripts to run iptables-save every time an IP is block/unblocked?
I think you answered your own question with the latter, of running iptables-save in active-response scripts. But the problem with that is anytime you upgrade OSSEC those changes will get overwritten.
So the best option is to configure iptables-save in cron to your liking.