Setup and Configure Basic iptables on Debian 8 Linux system

In this article we will setup and configure Basic iptables on Linux systems (Debian Family “Debian 8 “jessie”/Ubuntu 14.04, and higher”). This is the first step every experienced sysadmin must do Just after finishing installing the Linux OS “any member in any Family of Linux systems”. I’ll go and configure the iptables rules on Debian 8 “jessie” Linux system.

In Debian Linux Family, iptables firewall kernel module is already loaded in any installation type “Minimal installation, Server installation, Server with GUI installation, etc..”.

We will learn how to configure iptables for basic usage. Set the default chain policy for INPUT, OUTPUT, and FORWARD chains. We will learn how to start, stop, flush and restart the iptables rules, how to secure Debian 8 “jessie” after the installation process, and how to save our rules for loading it at Boot time “make a persistent rule”.

So, Let’s start.

What is Iptables?

Iptables is an administration tool for IPv4 packet filtering and NAT. It’s a simple, a fast, and a powerful firewall installed on most Linux distributions. It’s a tool to secure, filter out, and block Internet traffic from accessing your Linux OS.

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

We will focus on the use of the default table “filter table”. All our rules in this article will be in this table. It contains the built-in chains INPUT, FORWARD, and OUTPUT. Here’s their definitions:

INPUT: Packets is going to be locally delivered “accepted by Linux OS”.
FORWARD: Packets being routed through the box “send to another interface”. Usually used when you setup Linux as router.
OUTPUT: Packets sent from the machine itself will be visiting this chain.

A firewall rule specifies criteria for a packet and a target. If the packet does not match one rule, the next rule in the chain will be examined; if it does match,then the packet’s target will be checked to determine what action will be taken to that packet. I’ll use three targets ACCEPT, DROP, and REJECT. Here’s their definitions:

ACCEPT means to let the packet through.
DROP means to drop the packet on the floor, and do not send any response.
REJECT means to drop the packet on the floor, and send a message as a response.

Step 1: Installing the required Linux packages

As iptables kernel module is loaded by default, we can manage adding, deleting, and set policies for iptables rules without the need for adding any extra packages. But all rules we added will be a non-persistent rules, it’ll be removed at boot and halt time. This forces us to install extra package “iptables-persistent” which takes over the automatic loading of the saved iptables rules at boot and halt time. To do this run the following command, and accept all OK by pressing ENTER key:

# apt-get -y install iptables-persistent

At this point, we successfully installed iptables-persistent package, and saved the default iptables rules “which accept all connections” to be loaded at boot and halt time. Now let’s proceed with some administrative commands.

Step 2: Netfilter-persistent Administrative Commands

In this section, we will learn how to manage iptables rules on Debian 8 “jessie” using netfilter-persistent command. netfilter-persistent uses a set of plugins to load, flush and save netfilter rules at boot and halt time. It has the following options (start|stop|restart|reload|flush|save). Later we will use the command iptables “found in this location /sbin/iptables” to configure the iptables rules.

Option start is used to apply all rules in /etc/iptables/rules.v4 and /etc/iptables/rules.v6. To apply the saved iptables rules, run the following command:

# netfilter-persistent start

Option stop will remove all applied iptables rules “persistent, and non-persistent”, and will set the INPUT, FORWARD, and OUTPUT chains policy to ACCEPT If and only If the configuration FLUSH_ON_STOP “found in /etc/default/netfilter-persistent” is enabled. Otherwise, emits a warning only. To stop the netfilter, run the following command:

# netfilter-persistent stop

Options restart, and reload have the same effect, they will reload the currently persistent iptables rules found in /etc/iptables/rules.v4 and /etc/iptables/rules.v6. To restart/reload the saved iptables rules, run the following commands:

# netfilter-persistent restart
# netfilter-persistent reload

Option flush will remove all applied iptables rules “persistent, and non-persistent”, and will set the INPUT, FORWARD, and OUTPUT chains policy to ACCEPT, It stops the netfilter. To flush the iptables rules, and chains, run the following command:

# netfilter-persistent flush

Option save will save currently applied (including manually applied rules through cli) iptables rules to /etc/iptables/rules.v4 and /etc/iptables/rules.v6 configuration files, making them persistent rules “applied at boot and halt time”. To save your currently applied iptables rules, run the following:

# netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save

At this point you can deal with netfilter-persistent as you wish “start, stop, reload, etc..”. But there is some practical Hints you must be aware with when dealing with some of the above options.

Hints:
1. Reload, and Restart options will only apply the rules found in /etc/iptables/rules.v4 and /etc/iptables/rules.v6 "persistent rules" any non-persistent iptables rules "applied from cli using the iptables command" will not be applied.
2. Flush is a very useful, and secure option to use, it allows all connections to/from your server. But take care of the difference between "netfilter-persistent flush", and "iptables -F". "iptables -F" will only remove the applied iptables rules, and will not do anything the chains policies you applying, later we will discuss the command "iptables -F".
3. You will use option save many times, when dealing with iptables on Debian Linux systems.

Step 3: A Look at the default applied iptables rules

Now, after we introduced how to manage the iptables kernel module, it’s time to secure your Debian 8 box. Let’s take a look at the default applied rules found in /etc/iptables/rules.v4 and /etc/iptables/rules.v6. These two files are generated after installing “iptables-persistent” package, I only will focus on the IPv4 addresses, so all my modifications will be in this files “/etc/iptables/rules.v4”. I’ll not use the iptables command in this article to manipulate the iptables rules, I’ll only manipulate /etc/iptables/rules.v4 file with the basic iptables rules to secure my Debian 8 box. All my rules in this file “/etc/iptables/rules.v4” will be applied at boot and halt time because of the existing of “iptables-persistent” package. You can either cat this file or run “iptables -L -n”. Let’s cat /etc/iptables/rules.v4 file:

# cat /etc/iptables/rules.v4 
# Generated by iptables-save v1.4.21 on Tue Jul 5 20:33:42 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Jul 5 20:33:42 2016

If we run the “iptables -L -n” command, we will get the same results:

# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

From the above output, we see that there are no existing rules applied for filter table, and the default policy is ACCEPT for the three chains INPUT, FORWARD, and OUTPUT. The default applied iptables rules are allow everything.

Step 4: Changing the default policy, and securing your Linux Box

Now. it’s time for securing your box, but because most of sysadmins are connecting remotely to their servers, I STRONGLY RECOMMEND TO ADD A CRON JOB TO FLUSH THE IPTABLES SERVICE EVERY 10 MINUTES WHILE YOU ARE WORKING. This to avoid loosing the connections to your server if you put a wrong iptables rule “only you will wait 10 minutes to gain access again”, run the following command to add the cronjob rule:

# crontab -e

And then add this cronjob and save the file:

*/10 * * * * /usr/sbin/netfilter-persistent flush

Now, we safely start securing our Debian 8 box, first of all we can either use iptables command to modify the iptables rules, all added rules will be gone when the system boots “because the added rules are non-persistent”, and this will require us to run “netfilter-persistent save” when we finish to make the added rules persistent OR Go directly and edit “/etc/iptables/rules.v4” file, this will require us to run “netfilter-persistent restart” to apply the added/modified iptables rules. Personally I prefer modifying the iptables file. So, let’s modify it to be like this one

# vim /etc/iptables/rules.v4
# Generated by iptables-save v1.4.21 on Tue Jul 5 20:33:42 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Tue Jul 5 20:33:42 2016

Here’s what I did in the above file. First I changed the default INPUT, and FORWARD chain policy to DROP. This will drop any INPUT, and FROWARD packets that do not have any iptables rules allowing them. When any new packet is delivered to the INPUT or FORWARD chain, it will be checked against the existing iptables rules, if no match found the packet will be dropped “because of the default policy”. We only allow three iptables rules for incoming packets. We allow all established, and related packets exist before applying the new rules. Also, We allow packets generated from the local interface. Finally, We allow external packets for port 22 “packets for SSH service to be able to remotely manage the box”.

Any other packets not defined in the existing three rules, will be dropped. And this is the Basic iptables configuration for securing your Linux box.

Now, let’s apply those iptables rules, as we edited “/etc/iptables/rules.v4” file, we need to reload/restart the netfilter rules. Run the following command:

# netfilter-persistent restart

Hints:
1. The iptables command has option -F, --flush [chain], this will flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
2. Do not run this command "iptables -F " using the above configuration, as this will remove all the applied iptables rule, and any new packets will be matched against the default chain policy, which is DROP for INPUT, and FORWARD chain. You will lose the SSH connection to your box. But if you can access your machine's console "connected through a native terminal device tty", you can run it. Anyway you can go and try it, as we have a cronjob that flush iptables every 10 minutes.
3. If you are using the iptables command to edit the iptables rules, to make your rules persistent run this command "netfilter-persistent save".

Finally, If everything is well “you did not lose the SSH connection to your server”, we need to remove the cronjob, we created previously. Run the following command to remove the cronjob rule:

# crontab -e

And then remove/comment out that cronjob you created previously, save the file, and exit. Also make sure that iptables rules are applied after removing the cronjob, run the following command again:

# netfilter-persistent restart

Summary

In this article we have explained the meaning of iptables, also we have showed the default table “filter” and it’s three chains “INPUT, FORWARD, and OUTPUT” and their default installation policies “ACCEPT”. We showed you how to control the iptables rules “i.e start, stop, restart, etc…” using netfilter-persistent command. We did our changes to secure our Linux box by direct modify “/etc/iptables/rules.v4” file. we mentioned one tip to use to avoid losing connections to your server if something wrong happened.

I hope this article is good enough for you.
See you in other articles.