Persistent iptables firewall on Debian
I’ve been using scripts in
/etc/network/if-pre-up.d/ to configure the iptables firewall for my home router for a few years now. However these scripts are run once per interface, which just seems unnecessary for my purposes. I decided to try Debian’s iptables-persistent package instead.
Installing the iptables-persistent package.
# apt-get install iptables-persistent
Iptables-persistent is actually now a plugin for netfilter-persistent, which may support other plugins in the future.
You need to save your iptables rules to the following two (for IPv4 and IPv6) files for iptables-persistent, which will then restore them on each boot.
# iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6
Alternatively you can now do this:
which will save the current state for all netfilter-persistent plugins, inlcuding iptables-persistent, using the appropriate method.
# netfilter-persistent save run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
These files are in a format that can be efficiently read by iptables but they aren’t easy to maintain.
I have created well-documented configuration scripts for my iptables rules, which I’ve saved in the same directory.
# ls -l /etc/iptables total 16 -rwxr-xr-- 1 root root 2241 Jul 3 20:14 conf.v4 -rwxr-xr-- 1 root root 828 Jul 3 20:14 conf.v6 -rw-r--r-- 1 root root 980 Jul 3 20:29 rules.v4 -rw-r--r-- 1 root root 769 Jul 3 20:29 rules.v6
This is an extract from my IPv4 configuration.
#!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # Delete existing rules.# iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # INPUT chain # # All packets that are addressed to this computer. # # Drop all traffic as the default policy. iptables -P INPUT DROP # Accept all return traffic for initiated connections. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept all traffic that hasn't come from ppp0 (internet). iptables -A INPUT ! -i ppp0 -j ACCEPT # Accept all ICMP traffic: pings etc. iptables -A INPUT -p icmp -j ACCEPT # Reject any other traffic. iptables -A INPUT -j REJECT # ... # Save the iptables ruleset for use by iptables-persistent on boot. iptables-save > /etc/iptables/rules.v4
I can easily make changes by modifying and then running my configuration script, which applies the rules and also saves them for iptables-persistent to use at boot.