Configure a basic iptables firewall for debian

Share your own howto's etc. Not for support questions!

Configure a basic iptables firewall for debian

Postby Hallvor » 2014-09-20 16:57

What is a firewall?
A personal firewall is an application which controls a computer's network traffic, permitting or denying communications based on a security policy.

In this howto we will use iptables to make a basic personal firewall for your desktop computer. This howto should work on all versions of Debian and on other distros with Iptables as well. Iptables is a very powerful and flexible tool, so there are a plethora of options for servers and desktop computers.

What these configurations will result in:
A firewall that protects from unwanted incoming (Internet and LAN)connection attempts.
It will hide the computer from port scans by not responding to unsolicited network traffic.

What these configurations won't do:
Block outgoing connection attempts. This includes software that «phones home», or malware trying to connect to its owner. (But if you have malware, it will probably have root access and disable or open ports in your firewall anyway.)

Configuring iptables:
Iptables should be installed in Debian by default, so all we have to do is open the CLI and issue a few commands as root:

Allow all loopback traffic, but reject all traffic to 127.0.0.* that does not use lo
Code: Select all
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT


Allow established sessions to receive traffic
Code: Select all
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Allow all outbound connections
Code: Select all
# iptables -A OUTPUT -j ACCEPT


Drop all other incoming network traffic:
Code: Select all
# iptables -A INPUT -j DROP


Drop all traffic from your LAN to the Internet through your computer:
Code: Select all
# iptables -A FORWARD -j DROP


This step is optional: If you want to log the iptables denied calls, issue the following command:
Code: Select all
# iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


Let us check if it looks right with the following command:

Code: Select all
# iptables -L -v


The output should be like this:

Code: Select all
root@debian-netbook:/home# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   100 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 REJECT     all  --  !lo    any     anywhere             loopback/8           reject-with icmp-port-unreachable
  492  257K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
  294 41548 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  508  105K ACCEPT     all  --  any    any     anywhere             anywhere
root@debian-netbook:/home#                                                   



Persistent settings

Iptables will not remember the settings between boots, so we need to install a package called iptables-persistent to fix that.

Code: Select all
# apt-get install iptables-persistent


You will now be met by a configuration screen, where you must press yes to save the settings. (If you at a later point change any of the iptables rules, you must type (as root)

Code: Select all
# dpkg-reconfigure iptables-persistent


to make the new rules persistent.)





All done!





Credits: Thanks to those who have helped me. You know who you are.
See also:
https://wiki.debian.org/DebianFirewall
http://pclinuxoshelp.com/index.php/Iptable_ruleset (Many examples on this page.)
Last edited by Hallvor on 2017-05-13 07:18, edited 15 times in total.
Intel Core i5 3320-M CPU @ 2.60 GHz, 6 GB RAM, Intel HD 4000 graphics, 300 GB HDD, Debian Stretch (KDE)
User avatar
Hallvor
 
Posts: 733
Joined: 2009-04-16 18:35
Location: Norway

Re: Configure a basic firewall for a desktop

Postby Spock » 2014-09-20 17:04

Using Debian Wheezy stable (with Gnome) & Debian Jessie testing (with KDE)
User avatar
Spock
 
Posts: 40
Joined: 2012-01-03 13:20
Location: Québec, QC, CA

Re: Configure a basic firewall for a desktop

Postby RexanaCCk » 2014-10-09 10:28

Your post Hallvor is very helpful. I've always use firewall for security purposes and it helped me a lot. Great post there. 8)
Rexana Cullen
RexanaCCk
 
Posts: 3
Joined: 2014-10-05 02:49

Re: Configure a basic firewall for a desktop

Postby Hallvor » 2014-10-10 20:47

I am glad you found it helpful. :)
Intel Core i5 3320-M CPU @ 2.60 GHz, 6 GB RAM, Intel HD 4000 graphics, 300 GB HDD, Debian Stretch (KDE)
User avatar
Hallvor
 
Posts: 733
Joined: 2009-04-16 18:35
Location: Norway

Re: Configure a basic firewall for a desktop

Postby andre@home » 2014-10-11 06:50

I'm using this one on my 2 Webdav servers with Debian 6:
http://goodworkaround.com/node/32
Only added port 443 for https the rest is closed.
Very basic but strong FW rules imho.
(so thanks to that author..)
andre@home
 
Posts: 260
Joined: 2011-10-02 08:00

Re: Configure a basic firewall for a desktop

Postby milomak » 2014-10-12 01:58

is this more/less efficient than letting your router be the firewall?
iMac - MacOS and Windows 10 (Bootcamp)/ Debian Sid (External SSD)
Laptop (64-bit) - Debian Sid, Win10,
Kodi Box - Debian Sid
milomak
 
Posts: 1671
Joined: 2009-06-09 22:20

Re: Configure a basic firewall for a desktop

Postby Hallvor » 2014-10-13 18:05

I think it does roughly the same job. The advantage of having it on your router is that it firewalls all computers behind it. The advantage of having a firewall on your computer is obviously on a public wifi.

Both my router and my computers are all firewalled.
Intel Core i5 3320-M CPU @ 2.60 GHz, 6 GB RAM, Intel HD 4000 graphics, 300 GB HDD, Debian Stretch (KDE)
User avatar
Hallvor
 
Posts: 733
Joined: 2009-04-16 18:35
Location: Norway

Re: Configure a basic iptables firewall for debian

Postby Hallvor » 2017-05-13 07:16

Added example output.
Intel Core i5 3320-M CPU @ 2.60 GHz, 6 GB RAM, Intel HD 4000 graphics, 300 GB HDD, Debian Stretch (KDE)
User avatar
Hallvor
 
Posts: 733
Joined: 2009-04-16 18:35
Location: Norway


Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable