If you read our previous article Easy Debian Server Firewall, then you may have noted that on Debian Jessie the described method no longer works. This is due to systemd. In the article below we will walk through creating a persistent IPTables based firewall on Debian Jessie. First we need to install some required software packages. As seen in the command below, install iptables-persistent
. Next we will make netfilter-persistent
run at boot. This is the most important step as it will ensure your rules are reloaded at boot time.
# Install IPTables Persistent Package apt-get install -y iptables-persistent # Add netfilter-persistent Startup invoke-rc.d netfilter-persistent save # Start netfilter-persistent Service service netfilter-persistent start
Once the packages above are installed, you will have a new directory at /etc/iptables/
. This directory holds the IPTables filter rules that will be reloaded at boot time. These files are named rules.v4
and rules.v6
respectively. IPV4 rules are loaded into rules.v4
and IPV6 rules are loaded into rules.v6
. For the purpose of this article we will focus on IPV4 rules. Next we will want to copy the rules below into our rules.v4
file. Of course the rules will need to be modified to fit your environment.
# Generated by iptables-save v1.3.3 on Wed Apr 9 10:51:08 2008 # Flush out any rules that are already in there *filter :INPUT ACCEPT [146:11332] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [104:9831] # Allow internal loopback connections -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow pinging -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Allow any outbound data, and any inbound data related to a connection that is already in use -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT # =========BEGIN SERVER SPECIFIC PORT OPEN RULES========= # Allow SCP/SSH Access from Green & Blue Subnet -A INPUT -s 172.16.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.10.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT # Allow HTTP Access from Red Subnet/Internet -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT # Allow HTTPS Access from Red Subnet/Internet -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT # Allow MySQL Access from Red Subnet/Internet -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 3306 -j ACCEPT # Allow FTP Access from Red Subnet/Internet -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 21 -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 58000:58010 -j ACCEPT # =========END SERVER SPECIFIC PORT OPEN RULES========= # Drop everything that hasn't been picked up by one of the rules above -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -j DROP COMMIT # Completed on Wed Apr 9 10:51:08 2008
Lastly, in order for our new rules to take affect, we simply need to restart the netfilter-persistent
service as seen below. That’s it, you now have a fully functional IPTables based firewall.
# Restart netfilter-persistent Service service netfilter-persistent restart # Check if IPTables were applied iptables -L
I get this messages with this code:
root@user1:/etc/iptables# service netfilter-persistent start
Job for netfilter-persistent.service failed. See ‘systemctl status netfilter-persistent.service’ and ‘journalctl -xn’ for details.
root@user1:/etc/iptables#
Any help?
I would recommend reinstalling the netfilter-persistent package and ensure it is running first before making any modifications.
sudo apt-get remove --purge netfilter-persistent ; sudo apt-get install netfilter-persistent
Once you have the service running, then take a stab at adding your rules.
My server is atacked from China. The attacker is
blm3366.com
How could be managed firewall for domain?
Here are server log attempt: REMOVED
I would recommend going to https://www.countryipblocks.net/country_selection.php and creating a block list based on countries you want blocked.
Great article. Thank you.
I needed to call this line before restarting:
sudo service netfilter-persistent save
Otherwise all the rules were wiped and not saved to /etc/iptables/rules.v4