Tutorials How to configure iptables on Debian

How to configure iptables on Debian

The user-space application program iptables allows configuring the tables provided by the Linux kernel firewall, as well as the chains and rules it stores. The kernel module currently used for iptables only applies to IPv4 traffic, to configure firewall rules for IPv6 connections instead use ip6tables, which respond to the same command structures as iptables.

Listing current rules

Debian servers do not implement any restrictions by default, but for future reference, check the current iptable rules, use the following command.

sudo iptables -L

This will print out a list of three chains, input, forward and output, like the empty rules table example output below.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The chain names indicate which traffic the rules in each list will be applied to, input is for any connections coming to your cloud server, output is any leaving traffic and forward for any pass through. Each chain also has its policy setting which determines how the traffic is handled if it doesn’t match any specific rules, by default it’s set to accept.

Adding rules

Firewalls can commonly be configured in one of the two ways, either set the default rule to accept and then block any unwanted traffic with specific rules, or by using the rules to define allowed traffic and blocking everything else. The latter is often the recommended approach, as it allows pre-emptively blocking traffic, rather than having to reactively reject connections that should not be attempting to access your cloud server.

To begin using iptables, you should first add the rules for allowed inbound traffic for the services you require. Iptables can track the state of the connection, use the command below to allow established connections.

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

You can check that the rule was added using the same sudo iptables -L as before.

Next, allow traffic to a specific port to enable SSH connections with the following.

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

The ssh in the command translates to the port number 22, which the protocol uses by default. The same command structure can be used to allow traffic to other ports as well. To enable access to an HTTP web server, use the following command.

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

After adding all the allowed rules you require, change the input policy to drop.

sudo iptables -P INPUT DROP

The same policy rules can be defined to other chains as well by entering the chain name and selecting either DROP or ACCEPT.

Saving and restoring rules

Now if you were to restart your cloud server all of these iptables configurations would be wiped. To prevent this, save the rules to a file.

sudo iptables-save > /etc/iptables/rules.v4

You can then simply restore the saved rules by reading the file you saved.

# Overwrite the current rules
sudo iptables-restore < /etc/iptables/rules.v4
# Add the new rules keeping the current ones
sudo iptables-restore -n < /etc/iptables/rules.v4

You can automate the restore process at reboot by installing an additional package for iptables which takes over the loading of the saved rules. To this with the following command.

sudo aptitude install iptables-persistent

After the installation the initial setup will ask to save the current rules for IPv4 and IPv6, just select Yes and press enter for both.

If you make further changes to your iptables rules, remember to save them again using the same command as above. The iptables-persistent looks for the files rules.v4 and rules.v6 under /etc/iptables.

These are just a few simple commands you can use with iptables, which is capable of much more. Read on to check on some of the other options available for more advanced control over iptable rules.

Leave a Reply

Your email address will not be published. Required fields are marked *

Locations

Helsinki (HQ)

In the capital city of Finland, you will find our headquarters, and our first data centre. This is where we handle most of our development and innovation.

London

London was our second office to open, and a important step in introducing UpCloud to the world. Here our amazing staff can help you with both sales and support, in addition to host tons of interesting meetups.

Seattle

Seattle is our 4th and latest office to be opened, and our way to reach out across the pond to our many users in the Americas.

Singapore

Singapore was our 3rd office to be opened, and enjoys one of most engaged and fastest growing user bases we have ever seen.