Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Configure a basic iptables firewall for debian

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Post Reply
Message
Author
User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Configure a basic iptables firewall for debian

#1 Post by Hallvor »

What is a firewall?
A personal firewall is an application which controls a computer's network traffic, permitting or denying communications based on a security policy.

In this howto we will use iptables to make a basic personal firewall for your desktop computer. This howto should work on all versions of Debian and on other distros with Iptables as well. Iptables is a very powerful and flexible tool, so there are a plethora of options for servers and desktop computers.

What these configurations will result in:
A firewall that protects from unwanted incoming (Internet and LAN)connection attempts.
It will hide the computer from port scans by not responding to unsolicited network traffic.

What these configurations won't do:
Block outgoing connection attempts. This includes software that «phones home», or malware trying to connect to its owner. (But if you have malware, it will probably have root access and disable or open ports in your firewall anyway.)

Configuring iptables:
Iptables should be installed in Debian by default, so all we have to do is open the CLI and issue a few commands as root:

Allow all loopback traffic, but reject all traffic to 127.0.0.* that does not use lo

Code: Select all

# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Allow established sessions to receive traffic

Code: Select all

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
All outbound connections are allowed as long as there are no rules stating otherwise.

This step is optional: If you want to log the iptables denied calls, issue the following command:

Code: Select all

# iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


Drop all other incoming network traffic:

Code: Select all

# iptables -A INPUT -j DROP
Let us check if it looks right with the following command:

Code: Select all

# iptables -L -v
The output should be like this:

Code: Select all

root@debian:/home/hallvor# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  190 14906 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 REJECT     all  --  !lo    any     anywhere             loopback/8           reject-with icmp-port-unreachable
 492K  728M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
 3047  348K DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 229K packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination         


Persistent settings

Iptables will not remember the settings between boots, so we need to install a package called iptables-persistent to fix that.

Code: Select all

# apt-get install iptables-persistent
You will now be met by a configuration screen, where you must press yes to save the settings. (If you at a later point change any of the iptables rules, you must type (as root)

Code: Select all

# dpkg-reconfigure iptables-persistent
to make the new rules persistent.)





All done!





Credits: Thanks to those who have helped me. You know who you are.
See also:
https://wiki.debian.org/DebianFirewall
http://pclinuxoshelp.com/index.php/Iptable_ruleset (Many examples on this page.)
Last edited by Hallvor on 2019-02-23 20:51, edited 17 times in total.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

User avatar
Spock
Posts: 49
Joined: 2012-01-03 13:20
Location: Québec, QC, CA

Re: Configure a basic firewall for a desktop

#2 Post by Spock »

Using Debian Jessie oldstable

RexanaCCk
Posts: 3
Joined: 2014-10-05 02:49

Re: Configure a basic firewall for a desktop

#3 Post by RexanaCCk »

Your post Hallvor is very helpful. I've always use firewall for security purposes and it helped me a lot. Great post there. 8)
Rexana Cullen

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: Configure a basic firewall for a desktop

#4 Post by Hallvor »

I am glad you found it helpful. :)
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

andre@home
Posts: 398
Joined: 2011-10-02 08:00

Re: Configure a basic firewall for a desktop

#5 Post by andre@home »

I'm using this one on my 2 Webdav servers with Debian 6:
http://goodworkaround.com/node/32
Only added port 443 for https the rest is closed.
Very basic but strong FW rules imho.
(so thanks to that author..)

milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Configure a basic firewall for a desktop

#6 Post by milomak »

is this more/less efficient than letting your router be the firewall?
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: Configure a basic firewall for a desktop

#7 Post by Hallvor »

I think it does roughly the same job. The advantage of having it on your router is that it firewalls all computers behind it. The advantage of having a firewall on your computer is obviously on a public wifi.

Both my router and my computers are all firewalled.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: Configure a basic iptables firewall for debian

#8 Post by Hallvor »

Added example output.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

Post Reply