How to setup your ipv4 and ipv6 IPtables rules at boot


The newer Debian and Ubuntu and other Linux distributions have been taken over by the conf.d storm. The d in conf.d stands for directory. That means that your configuration can be split up in different directory's so you can manage them more easily with tools like Ansible.

For now we do it the manual way and just use IPtables and the conf.d directory. Let's add some rules to IPtables if you didn't have some already.

# Allows all loopback (lo0) traffic
iptables -A INPUT -i lo -j ACCEPT

# Accepts all established inbound connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
iptables -A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
iptables -A INPUT -p icmp -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables rejected: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

You can use the same for your ipv6 tables, just change the name of iptables to ip6tables.

# Allows all loopback (lo0) traffic
ip6tables -A INPUT -i lo -j ACCEPT

# Accepts all established inbound connections
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
ip6tables -A OUTPUT -j ACCEPT

Next you can save or show these rules with the following command:

iptables-save  # For ipv4
ip6tables-save # For ipv6

This will give you output of all the ipv4 rules. Let's create a file to store this output in /etc/iptables/. Create this directory if it does not already exists.

mkdir -p /etc/iptables/

Next up we'll store the output of iptables to a file in this directory like this:

iptables-save > /etc/iptables/rules.v4 # For ipv4
ip6tables-save > /etc/iptables/rules.v6 # For ipv6

Go checkout the content of that file with:

cat /etc/iptables/rules.v4 # ipv4
cat /etc/iptables/rules.v6 # ipv6

See? Everything you need is in there. You can even edit and add or delete rules in that file if needed.

How do you load the content of this file in to iptables after you edited them? Easy!

iptables-restore < /etc/iptables/rules.v4 # or v6 if ipv6.

Done. Your rules are active immediately. Now let's make sure these rules get loaded on a reboot. We will create a bash script that runs on boot and is stored in your /etc/network/if-pre-up.d/ directory.

editor /etc/network/if-pre-up.d/iptables-up

Inside this script you can set the following two lines:

#!/bin/sh

/sbin/iptables-restore < /etc/iptables/rules.v4
/sbin/ip6tables-restore < /etc/iptables/rules.v6

Let's make this file executable and let it run on a (re)boot.

chmod +x /etc/network/if-pre-up.d/iptables-up

All done!

Recap


Don't forget to adjust firewall your rules to what you need, and test the /etc/network/if-pre-up.d/iptables-up script. You can reboot the server to test this out and you should try that to make sure it works.


Comments

comments powered by Disqus