My research has discovered various ways of loading iptables at boot. I’m not saying this is the best way, but it works very nicely for me. Note that iptables doesn’t currently work on an AMD 64bit K8 architecture.<\/p>\n
I create an iptables ruleset and save it under \/root as myfilters. Mine is listed below:<\/p>\n
# Required for DNS service
\niptables -A INPUT -p udp –sport 53 –dport 53 -j ACCEPT<\/p>\n
# Network Time Protocol
\niptables -A INPUT -p udp –sport 123 –dport 123 -j ACCEPT<\/p>\n
# Allow anything on the Loopback address
\niptables -A INPUT -i lo -j ACCEPT<\/p>\n
# Allow incoming ICMP (such as Ping)
\niptables -A INPUT -p icmp –icmp-type any -j ACCEPT<\/p>\n
# Allow established connections
\niptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT<\/p>\n
# FTP
\niptables -A INPUT -s 82.133.6.112\/29 -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT<\/p>\n
# SSH
\niptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT<\/p>\n
# Telnet
\niptables -A INPUT -s 82.133.6.112\/29 -m state –state NEW -m tcp -p tcp –dport 23 -j ACCEPT<\/p>\n
# SMTP
\niptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 25 -j ACCEPT<\/p>\n
# DNS (tcp & udp)
\niptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 53 -j ACCEPT
\niptables -A INPUT -m state –state NEW -m udp -p udp –dport 53 -j ACCEPT<\/p>\n
# HTTP
\niptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT<\/p>\n
# POP3
\n#iptables -A INPUT -s 82.133.6.112\/29 -m state –state NEW -m tcp -p tcp –dport 110 -j ACCEPT<\/p>\n
# NNTP
\n#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 119 -j ACCEPT<\/p>\n
# Network Time Protocol (tcp & udp)
\niptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 123 -j ACCEPT
\niptables -A INPUT -m state –state NEW -m udp -p udp –dport 123 -j ACCEPT<\/p>\n
# HTTPS
\niptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT<\/p>\n
# SMTPS
\niptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 465 -j ACCEPT<\/p>\n
# NNTPS
\n#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 563 -j ACCEPT<\/p>\n
# Mail Submission
\niptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 587 -j ACCEPT
\niptables -A INPUT -m state –state NEW -m udp -p udp –dport 587 -j ACCEPT<\/p>\n
# Additional SMTP port
\niptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 2525 -j ACCEPT<\/p>\n
# Additional NNTPS port
\n#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 5563 -j ACCEPT<\/p>\n
# Privoxy default port
\n#iptables -A INPUT -s 82.133.6.112\/29 -m state –state NEW -m tcp -p tcp –dport 8118 -j ACCEPT<\/p>\n
# Tor default port
\niptables -A INPUT -s 82.133.6.112\/29 -m state –state NEW -m tcp -p tcp –dport 9050 -j ACCEPT<\/p>\n
# Mixminion
\n#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 48099 -j ACCEPT<\/p>\n
# Enable the following to log messages to the console
\n# iptables -A INPUT -j LOG –log-level 3<\/p>\n
# Reject anything else
\niptables -A INPUT -j REJECT –reject-with icmp-host-prohibited<\/p>\n
I try and keep the same file across all my machines and then just remark-out the parts I don’t need on a certain box.<\/p>\n
Execute this file with:
\n\/root\/myfilters
\nThen check the ruleset with:
\niptables -L -n<\/p>\n
If all looks good, the ruleset can be saved using:
\niptables-save > \/etc\/iptables
\nObviously the filename is just a matter of choice, it could go anywhere.<\/p>\n
Lastly, a section is required in the \/etc\/network\/interfaces file to activate this config when the interfaces are enabled. This section should be:
\n# The following was added by Steve Crook to read in an iptables
\n# configuration. The \/etc\/iptables file is created using iptables-save
\n# which in turn is created from \/root\/myfilters
\npre-up iptables-restore < \/etc\/iptables\n\nWorth noting that the command: iptables -F can be used to flush all firewall rules. This is much better when testing than using -D and removing them one at a time.\n<\/p>\n","protected":false},"excerpt":{"rendered":"
How to setup iptables on Debian<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-12","post","type-post","status-publish","format-standard","hentry","category-debian","entry"],"_links":{"self":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/12","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12"}],"version-history":[{"count":0,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=\/wp\/v2\/posts\/12\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.stmellion.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}