Setup iptables with debian 8 with iptables-persistent

If you read our previous article Easy Debian Server Firewall, then you may have noted that on Debian Jessie the described method no longer works. This is due to systemd. In the article below we will walk through creating a persistent IPTables based firewall on Debian Jessie. First we need to install some required software packages. As seen in the command below, install iptables-persistent. Next we will make netfilter-persistent run at boot. This is the most important step as it will ensure your rules are reloaded at boot time.

 This package will load auto when server start.
#apt-get install -y iptables-persistent
Add netfilter-persistent Startup
#invoke-rc.d netfilter-persistent save

Start netfilter-persistent Service
#service netfilter-persistent start
or 
#/etc/init.d/netfilter-persistent start

Once the packages above are installed, you will have a new directory at /etc/iptables/. This directory holds the IPTables filter rules that will be reloaded at boot time. These files are named rules.v4 and rules.v6 respectively. IPV4 rules are loaded into rules.v4 and IPV6 rules are loaded into rules.v6. For the purpose of this article we will focus on IPV4 rules. Next we will want to copy the rules below into our rules.v4 file. Of course the rules will need to be modified to fit your environment.







Then we will change or update for allow or any drop:





#vim /etc/iptables/rules.v4








# Generated by iptables-save v1.4.21 on Fri Apr  8 14:01:26 2016
*filter
#default of input,output,forward is accept mean that if condition not much will be accept

:INPUT ACCEPT [184260:38761628]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [158239:49088110]
#this line will allow tcp port
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
#this line will allow only ip 10.105.9.203 with tcp 25 
-A INPUT -p tcp -m tcp --dport 25 -s 10.105.9.203 -j ACCEPT
#allow all ip with this port
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

-I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#allow icmp ping for ip client request with subnet
-A INPUT -p icmp --icmp-type echo-request -s 10.105.0.0/16 -j ACCEPT

# drop all port if not allow above
-A INPUT -j DROP
COMMIT



Save and exit.



Restart netfilter-persistent Service




#/etc/init.d/netfilter-persistent restart 



Check if IPTables were applied iptables -L



======================



https://oitibs.com/easy-debian-8-server-firewall/

https://www.howtoforge.com/linux_iptables_sarge


























        

      












Subscribe to:
Posts (Atom)