Debian iptables Firewall Configuration Guide: Enhancing Server Security

In Debian systems, iptables is a powerful firewall tool for controlling network traffic and is a key component for securing servers. By default, a newly installed Debian system may not have iptables enabled. For systems used as network servers, configuring iptables is a necessary step to prevent common network attacks and enhance security.

1. Check iptables Installation Status

First, verify if iptables is installed on your system. Execute the following command in the terminal:

whereis iptables

If the output shows path information like the following, iptables is installed:

iptables: /sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz

If not installed, use the package manager to install it:

sudo apt update
sudo apt install iptables

2. View Current iptables Rules

Use the following command to view the current firewall rules:

sudo iptables -L -n

If the output shows that the policy for all chains (e.g., INPUT, FORWARD, OUTPUT) is ACCEPT and there are no specific restriction rules, it means the firewall is enabled but not configured for security, allowing all traffic.

3. Configure Basic Firewall Rules

It is recommended to create a rule file to manage configuration rather than adding temporary rules directly via the command line. Create a new rule file:

sudo nano /etc/iptables.rules

Copy the following rule content into the file. These rules implement a "default deny, explicit allow" security policy:

*filter
# Allow all traffic on the local loopback (lo) interface
-A INPUT -i lo -j ACCEPT
# Allow all established and related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic (can be restricted as needed)
-A OUTPUT -j ACCEPT
# Allow inbound HTTP (80) and HTTPS (443) ports
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow inbound SSH (22) port (recommend restricting to specific IPs later)
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ICMP (ping) requests
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log denied traffic (for debugging)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Set default policy: reject all other inbound and forwarded traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

Important Note: The above rules allow SSH (port 22), HTTP (port 80), and HTTPS (port 443). In a production environment, it is strongly recommended to restrict SSH access to specific management IP addresses rather than opening it to all IPs. Example rule (replace your_trusted_ip with your IP):

# Replace the default SSH rule to allow only a specific IP
-A INPUT -p tcp -s your_trusted_ip -m state --state NEW --dport 22 -j ACCEPT

Save the file (in nano, press Ctrl+O, then Enter), then exit (press Ctrl+X).

4. Apply Firewall Rules

Use the following command to load rules from the file, making them effective immediately:

sudo iptables-restore < /etc/iptables.rules

Run sudo iptables -L -n again to verify the rules have been loaded correctly.

5. Set iptables to Load Automatically on Boot

To ensure firewall rules remain effective after a system reboot, configure a startup script.

Create or edit a script that executes before network interfaces come up:

sudo nano /etc/network/if-pre-up.d/iptables

Add the following content:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.rules

After saving and exiting, make the script executable:

sudo chmod +x /etc/network/if-pre-up.d/iptables

Now, each time the system boots or network interfaces restart, the rules defined in /etc/iptables.rules will be loaded automatically.

6. Save Current Rules (Optional)

You can also save the current in-memory rules to the configuration file as a backup or update:

sudo iptables-save > /etc/iptables.rules

Security Recommendations and Next Steps

• Restrict SSH Access: As mentioned, limit SSH port (22) access to necessary management IP ranges.
• Consider Using UFW: For beginners, ufw (Uncomplicated Firewall) on Debian provides a simpler command-line interface to manage iptables.
• Review Rules Regularly: Use iptables -L -n -v to view traffic statistics and adjust rules based on the services running on your server.
• Mind Rule Order: iptables rules are matched in order; the first matching rule takes effect. Ensure allow rules come before reject rules.

By following these steps, you have established a basic firewall configuration on your Debian server, which can effectively block unauthorized access and provide a first layer of security for your services.