isalazyadmin.net

Just a place to braindump my thoughts, talk about IT and other random stuff.

Configuring a basic firewall for Debian Linux

A firewall is the first line of defense for any host on a network and will block most incoming attacks. In Linux firewall rules are set with iptables. Setting up iptables for the first time can be complex and most people that I know about that begin with Linux do not setup a basic firewall for this reason. This is a pity as setting up some basic firewall rules is easy and should only take you about 15 minutes.

Below I will describe the setup of a basic firewall in Debian Linux. We will also configure the firewall rules in such a way that they load when the computer is booted.

Creating the needed files.

First we will create a file that will store the firewall rules. This file will be used to load the iptable rules after the computer is booted. We will call the file ‘iptables.conf’.

touch /etc/iptables.conf

Showing and clearing up existing iptable rules.

First we will check if there are any iptable rules active. To do this enter the following command.

iptables -L

You should get an output like the one below.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

As you can see we are accepting everything from everyone at the moment. If you get another output than the one above make sure to clear your iptable configuration first with the following commands.

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X

Then check the rules again with ‘iptables -L’ to see if you get an output without any rules defined.

Setting up the new iptable rules.

Now we will edit the file ‘/etc/iptables.conf’ we created earlier and add some iptable rules to the file so we can get a basic firewall working. First we open the file.

nano /etc/iptables.conf

Now copy and paste the following code in ‘/etc/iptables.conf’

*filter

# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# This allows all outbound traffic
-A OUTPUT -j ACCEPT

# This will allow HTTP and HTTPS connections from anywhere, this are the normal
# ports used for a web server
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Applying the new iptable rules.

Now we will apply the rules with the following command. If you are done you can check the changes again with ‘iptables -L’

iptables-restore < /etc/iptables.conf

Reloading rules on system boot up.

Now we need to ensure that the iptable rules are set when we reboot the Pc. At the moment the changes will be lost and it will go back to allowing everything from everyone. Open the following file ‘/etc/network/interfaces’.

nano /etc/network/interfaces

Now add the following line ‘pre-up iptables-restore < /etc/iptables.conf’ just after ‘iface lo inet loopback’ as sown below. Notice that the output of the file is omitted.

auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.conf

# The primary network interface

Testing the firewall settings.

The only thing left to do is testing the firewall rules. We will do this by shutting down and rebooting the system.

shutdown -r now

After the system is rebooted and you are logged back in issue the ‘iptables -L’ command to check if your rules are loaded upon system startup.

There you did it! You have just setup a very basic firewall that blocks all incoming traffic except for SSH (port 22) HTTP (port 80) and HTTPS (port 443). It was not hard was it? And it only took a few minutes!

You might have noticed I do not block any outbound traffic. Why I decide to do this is explained in a blog post here.

Created by Mike