Loading iptables rules on startup

By default iptables is setup on Debian etch but there are no rules configured. In this tutorial we’ll configure some rules and load them into iptables on startup.

1. Rules file

Create a new file that will contain a shell script to insert rules into iptables (pico /etc/firewall-rules.sh) and add this content as template:

#!/bin/sh
IPT="/sbin/iptables"




echo -n "Loading iptables rules..."

# Flush old rules
$IPT –flush
$IPT –delete-chain

# By default, drop everything except outgoing traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# ICMP rules
$IPT -A INPUT -p icmp –icmp-type echo-reply -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type echo-request -m limit –limit 5/s -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type destination-unreachable -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type time-exceeded -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type timestamp-request -m state –state NEW -j ACCEPT
$IPT -A INPUT -p icmp –icmp-type timestamp-reply -m state –state ESTABLISHED,RELATED -j ACCEPT

# Block new connections without SYN
$IPT -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

ban3

# Allow established connections:
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# SSH
$IPT -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

# HTTP
$IPT -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
$IPT -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

# Anti-spoofing rules
$IPT -A INPUT -s 200.200.200.200 -j DROP
$IPT -A INPUT -s 192.168.0.0/24 -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -j DROP

echo “rules loaded.”
You can customize this file as required, check the iptables manual for parameters and options.

GO2E

KVM Standard

3 Xeon Cores 2.93GHz CPU
3GB Guaranteed RAM
100GB HDD
Free OS Install
Linux / Windows
Unlimited Bandwidth
100Mbps Connection
1 IPv4 + 1 IPv6 included

Change the permissions to make the file executable by root:

chown root /etc/firewall-rules.sh
chmod 700 /etc/firewall-rules.sh

2. Load rules shell script on startup

Add this line above the address line for your default network interface (pico /etc/network/interfaces):

pre-up /etc/firewall-rules.sh

Now, every time you start the network interfaces including restarting the system, iptables rules are reloaded.

Leave a Reply

Your email address will not be published. Required fields are marked *