If you read our previous article Easy Debian Server Firewall, then you may have noted that on Debian Trixie the described method no longer works. This is due to systemd. In the article below we will walk through creating a persistent IPTables based firewall on Debian Trixie. First we need to install some required software packages. As seen in the command below, install iptables-persistent. Next we will make netfilter-persistent run at boot. This is the most important step as it will ensure your rules are reloaded at boot time.
# Install IPTables Persistent Package apt install -y iptables-persistent # Enable netfilter-persistent at Startup systemctl enable netfilter-persistent # Stop netfilter-persistent Service to Modify Rules systemctl stop netfilter-persistent
Once the packages above are installed, you will have a new directory at /etc/iptables/. This directory holds the IPTables filter rules that will be reloaded at boot time. These files are named rules.v4 and rules.v6 respectively. IPV4 rules are loaded into rules.v4 and IPV6 rules are loaded into rules.v6. For the purpose of this article we will focus on IPV4 rules. Next we will want to copy the rules below into our rules.v4 file. Of course the rules will need to be modified to fit your environment.
# d13t base firewall config *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Allow internal loopback connections -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow pinging -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Allow any outbound data, and any inbound data related to a connection that is already in use -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT # =========BEGIN SERVER SPECIFIC PORT OPEN RULES========= # Allow SCP/SSH Access from Green and Blue Subnet -A INPUT -s 172.16.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.10.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT # =========END SERVER SPECIFIC PORT OPEN RULES========= # Drop everything that hasn't been picked up by one of the rules above -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -j DROP COMMIT # d13t base firewall config
Lastly, in order for our new rules to take affect, we need to start the netfilter-persistent service as shown below. That’s it, you now have a fully functional IPTables based firewall.
# Start netfilter-persistent Service systemctl start netfilter-persistent # Check if IPTables were applied iptables -L