Debian Tutorials

Debian Tutorials


Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

August 2018
M T W T F S S
« Apr    
 12345
6789101112
13141516171819
20212223242526
2728293031  

Categories


Loading iptables rules on startup

adminadmin

By default iptables is setup on Debian etch but there are no rules configured. In this tutorial we’ll configure some rules and load them into iptables on startup.

1. Rules file

Create a new file that will contain a shell script to insert rules into iptables (pico /etc/firewall-rules.sh) and add this content as template:

#!/bin/sh
IPT="/sbin/iptables"

echo -n "Loading iptables rules..."

# Flush old rules
$IPT –flush
$IPT –delete-chain

# By default, drop everything except outgoing traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# ICMP rules
$IPT -A INPUT -p icmp –icmp-type echo-reply -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type echo-request -m limit –limit 5/s -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type destination-unreachable -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type time-exceeded -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type timestamp-request -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type timestamp-reply -m state –state ESTABLISHED,RELATED -j ACCEPT

# Block new connections without SYN
$IPT -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

# Allow established connections:
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# SSH
$IPT -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

# HTTP
$IPT -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
$IPT -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

# Anti-spoofing rules
$IPT -A INPUT -s 200.200.200.200 -j DROP
$IPT -A INPUT -s 192.168.0.0/24 -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -j DROP

echo “rules loaded.”
You can customize this file as required, check the iptables manual for parameters and options.

Change the permissions to make the file executable by root:

chown root /etc/firewall-rules.sh
chmod 700 /etc/firewall-rules.sh

2. Load rules shell script on startup

Add this line above the address line for your default network interface (pico /etc/network/interfaces):

pre-up /etc/firewall-rules.sh

Now, every time you start the network interfaces including restarting the system, iptables rules are reloaded.

Comments 3
  • fantasio
    Posted on

    fantasio fantasio

    Author

    also you can use startup script .you must copy your rules for example firewall.sh to /etc/init.d .the you must copy your rules which you are using runlevel . check “runlevel”
    command. if you are level 2 just like me .you must link your /etc/init.d to /etc/rc2.d

    ln -s /etc/init.d/firewall.sh /etc/rc2.d/S33frewall.sh

    then you must give this command

    update-rc.d /etc/init.d/firewall.sh defaults

    its done.your firewall script will be begin at startup.


  • Woky
    Posted on

    Woky Woky

    Author

    Why this “update-rc.d /etc/init.d/firewall.sh defaults ” if you did soft links into /etc/rc2.d???
    Folk, you are mixing two possible methods together ;o/