How to setup your ipv4 and ipv6 IPtables rules at boot
The newer Debian and Ubuntu and other Linux distributions have been taken over by the conf.d storm. The d in conf.d stands for directory. That means that your configuration can be split up in different directory's so you can manage them more easily with tools like Ansible.
For now we do it the manual way and just use IPtables and the conf.d directory. Let's add some rules to IPtables if you didn't have some already.
# Allows all loopback (lo0) traffic iptables -A INPUT -i lo -j ACCEPT # Accepts all established inbound connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic iptables -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping iptables -A INPUT -p icmp -j ACCEPT # log iptables denied calls (access via 'dmesg' command) iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables rejected: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT
You can use the same for your ipv6 tables, just change the name of iptables to ip6tables.
# Allows all loopback (lo0) traffic ip6tables -A INPUT -i lo -j ACCEPT # Accepts all established inbound connections ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic ip6tables -A OUTPUT -j ACCEPT
Next you can save or show these rules with the following command:
iptables-save # For ipv4 ip6tables-save # For ipv6
This will give you output of all the ipv4 rules. Let's create a file to store this output in /etc/iptables/. Create this directory if it does not already exists.
mkdir -p /etc/iptables/
Next up we'll store the output of iptables to a file in this directory like this:
iptables-save > /etc/iptables/rules.v4 # For ipv4 ip6tables-save > /etc/iptables/rules.v6 # For ipv6
Go checkout the content of that file with:
cat /etc/iptables/rules.v4 # ipv4 cat /etc/iptables/rules.v6 # ipv6
See? Everything you need is in there. You can even edit and add or delete rules in that file if needed.
How do you load the content of this file in to iptables after you edited them? Easy!
iptables-restore < /etc/iptables/rules.v4 # or v6 if ipv6.
Done. Your rules are active immediately. Now let's make sure these rules get loaded on a reboot. We will create a bash script that runs on boot and is stored in your /etc/network/if-pre-up.d/ directory.
Inside this script you can set the following two lines:
#!/bin/sh /sbin/iptables-restore < /etc/iptables/rules.v4 /sbin/ip6tables-restore < /etc/iptables/rules.v6
Let's make this file executable and let it run on a (re)boot.
chmod +x /etc/network/if-pre-up.d/iptables-up
Don't forget to adjust firewall your rules to what you need, and test the /etc/network/if-pre-up.d/iptables-up script. You can reboot the server to test this out and you should try that to make sure it works.