Persistent iptables firewall on Debian

I’ve been using scripts in /etc/network/if-pre-up.d/ to configure the iptables firewall for my home router for a few years now. However these scripts are run once per interface, which just seems unnecessary for my purposes. I decided to try Debian’s iptables-persistent package instead.

Installing the iptables-persistent package.

# apt-get install iptables-persistent

Iptables-persistent is actually now a plugin for netfilter-persistent, which may support other plugins in the future.

Configuration

You need to save your iptables rules to the following two (for IPv4 and IPv6) files for iptables-persistent, which will then restore them on each boot.

# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6

Alternatively you can now do this:

# netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
which will save the current state for all netfilter-persistent plugins, inlcuding iptables-persistent, using the appropriate method.

These files are in a format that can be efficiently read by iptables but they aren’t easy to maintain.

Maintenance

I have created well-documented configuration scripts for my iptables rules, which I’ve saved in the same directory.

# ls -l /etc/iptables
total 16
-rwxr-xr-- 1 root root 2241 Jul  3 20:14 conf.v4
-rwxr-xr-- 1 root root  828 Jul  3 20:14 conf.v6
-rw-r--r-- 1 root root  980 Jul  3 20:29 rules.v4
-rw-r--r-- 1 root root  769 Jul  3 20:29 rules.v6

This is an extract from my IPv4 configuration.

File: /etc/iptables/conf.v4
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin

# Delete existing rules.#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# INPUT chain #
# All packets that are addressed to this computer. #
# Drop all traffic as the default policy.
iptables -P INPUT DROP
# Accept all return traffic for initiated connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept all traffic that hasn't come from ppp0 (internet).
iptables -A INPUT ! -i ppp0 -j ACCEPT
# Accept all ICMP traffic: pings etc.
iptables -A INPUT -p icmp -j ACCEPT
# Reject any other traffic.
iptables -A INPUT -j REJECT

# ...

# Save the iptables ruleset for use by iptables-persistent on boot.
iptables-save > /etc/iptables/rules.v4

I can easily make changes by modifying and then running my configuration script, which applies the rules and also saves them for iptables-persistent to use at boot.

Comments

Your email address will not be published. I need it to send you a verification link. It will also be sent to Gravatar to check if you have one.