Setting Up A Basic Firewall Debian Using IPTABLES

Setting up a basic firewall Debian using IPTABLES

Iptables provide packet filtering, network address translation (NAT) and other packet mangling.

Two of the most common uses of iptables is to provide firewall support and NAT.  

Viewing current configuration

See what rules are already configured. Issue this command:

iptables -L

The output will be similar to this:

  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination
  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination
  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination

This gives anyone access to anything from anywhere. 

Storing iptables rules in a file

Let's tighten that up a bit by creating a test iptables file: 

vi /etc/iptables.test.rules

In this file enter some basic rules:

 # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
 -A INPUT -i lo -j ACCEPT
 -A INPUT ! -i lo -d -j REJECT
 # Accepts all established inbound connections
 # Allows all outbound traffic
 # You could modify this to only allow certain traffic
 # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
 -A INPUT -p tcp --dport 80 -j ACCEPT
 -A INPUT -p tcp --dport 443 -j ACCEPT
 # Allows SSH connections 
 # The --dport number is the same as in /etc/ssh/sshd_config
 -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 # Now you should read up on iptables rules and consider whether ssh access 
 # for everyone is really desired. Most likely you will only allow access from certain IPs.
 # Allow ping
 #  note that blocking other types of icmp packets is considered a bad idea by some
 #  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 # log iptables denied calls (access via 'dmesg' command)
 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 # Reject all other inbound - default deny unless explicitly allowed policy:

That may look complicated but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.  

Activate these new rules: 

iptables-restore < /etc/iptables.test.rules

And see the difference:

iptables -L

Now the output tells us that only the ports defined above are open. All the others are closed. If the machine is under remote control, you might wish to establish a new ssh-connection at this point. 

Making Changes permanent

As IP-Tables are not persistent, they will be deleted ("flushed") with the next reboot.

Once you are happy with your ruleset, save the new rules to the master iptables file:

iptables-save > /etc/iptables.up.rules

To make sure the iptables rules are started on a reboot we'll create a new file:  

vi /etc/network/if-pre-up.d/iptables

Add these lines to it:  

/sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

chmod +x /etc/network/if-pre-up.d/iptables

Rules can be stored something like this:

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6


Documentation about the netfilter/iptables:

Gentle Introductions/Overviews

Iptables Basics:

Firewall and Advanced Routing Under Linux:


Securing Debian: Adding firewall capabilities:.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Compromised Servers – A Broad Overview

Hacking: According to the Cambridge Dictionary, hacking is - 'The activity of illegally using a...

How To Change My HOSTAFRICA Client Password

Log in to your HOSTAFRICA Client Account and click on the "Hello Tab" to reveal the drop-down...

How To Design A Secure Password

The Password Method 1. Choose a phrase of between 12 and 20 characters. Remember, Windows-based...

Security Tips For Linux Servers

Physical System Security Configure the BIOS to disable booting from CD/DVD, External Devices,...

Security Tips For Windows Servers

Ensure that your Windows file server is physically secure. If an intruder can gain physical...