I did Enabling networking between two qubes as described in the official docs.
Everything worked as expected, so I wrote the iptables rules into firewallVM’s qubes-firewall-user-script script, as in the documentation.
However, after rebooting the system, the changes I made to /rw/config/qubes-firewall-user-script have disappeared. Is this this expected behaviour? If so, how can I made the firewall changes persist?
Me guessing: could your sys-firewall be disposable by any chance? That would explain the behaviour that you describe.
In an AppVM the /rw directory is persistent. If your sys-firewall was a DispVM, however, that directory would be inherited from the AppVM that acts as the DispVM template. In that case, you’d want to make the changes in that AppVM.
The inheritance behaviour is described in detail in this section of the documentation (Inheritance and persistence):
Correct, sys-firewall is a DispVM (I believe that is how it was automatically installed). That explains everything.