Installation of IPTables Debian 12

To install IPTables, you use following command:

$ apt-get install iptables

It's important to note that making changes to your firewall without proper knowledge can lock you out of your system.

Persisting iptables rules
Iptables rules are not persisted across reboots. by restarting your server, your rules will be lost and your firewall will be disabled.
To persist your rules, you can use the iptables-persistent package. This package allows you to save your rules to a file and load them when your server starts.

To install the iptables-persistent package, use the following command:

$ apt-get install iptables-persistent

You can use the iptables-save and iptables-restore commands to save and load your rules.

To save your current rules to a file, you can use the following command:

$ iptables-save > /etc/iptables/iptables.v4
# or 
$ iptables-save > /etc/iptables/iptables

To load your saved rules when your server starts, add the following lines to your /etc/rc.local or /etc/init.d/firewall file

$ iptables-restore < /etc/iptables/iptables.v4
# or
$ iptables-restore < /etc/iptables/iptables

Basic Configuration
Before making any changes, it's a good practice to check the current IPTables rules. To list all current rules, you can use:

$ iptables -L -v -n

Setting Default Policies
Setting default policies is an important step in configuring your firewall. :

First allow SSH Traffic on default SSH port 22, or you will be locked out.
Note: If you use different port then change --dport 22 with your port number

To allow incoming SSH connections on port 22, you use:

$ iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Remember, setting the default policy to DROP will block all traffic, that is the reason why you have first allowed traffic on SSH port.

$ iptables -P INPUT DROP
$ iptables -P FORWARD DROP
$ iptables -P OUTPUT ACCEPT

Saving and Reloading IPTables Rules

After configuring your rules, you need to save them to ensure they persist after a reboot. On Debian 12, you can save your IPTables rules with the following command:

$ netfilter-persistent save

you will receive output as:

run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save

To reload your rules, you can use:

$ netfilter-persistent reload

you will receive again output as:

run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start

Manually add rules to iptables

First save your rules

$ iptables-save > /etc/iptables/iptables

Then open file to add new rules

$ pico /etc/iptables/iptables

# Generated by iptables-save v1.8.9 (nf_tables) ...
*filter
:INPUT DROP [6:1196]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
# Completed on ...

then change and add lines under : OUTPUT ACCEPT [0:0]

# Allow established connections (the responses to our outgoing traffic)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# do not block already running connections (important for outgoing)
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Accept all traffic on your loopback interface
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow local programs that use loopback (Unix sockets)
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

# Local network
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT

# Dropping Invalid Packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Deny incoming pings
-A INPUT -p icmp --icmp-type echo-request -j DROP
# outgoing ping echo request
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

#############################
# Block the most common attacks
#############################
# blocking null packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# reject is a syn-flood attack
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# XMAS packets, also a recon packet
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# reject ougoing and incoming telnet connections
-A OUTPUT -p tcp --dport telnet -j DROP
-A INPUT -p tcp --dport telnet -j DROP

# prevent the DDoS
-A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 100 -j ACCEPT
#############################

Change IP 123.123.123.123 with your IP address or subnet

## open port 22 to specific ip <YOURIPNUMBER>
-A INPUT -p tcp -s 123.123.123.123 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

If you don't have fixed IP address add subnet, you can add multiple lines just change IP address

-A INPUT -p tcp -s 123.123.123.123/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

To add multiple lines with IP range is better than open ssh connection to anyone as we add on begin.
Now we go to disable the INPUT rule what we add at begin

#-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Allow OUTPUT

## Allowing Outgoing SSH
-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow IP address or subnet to access all ports

-A INPUT -s 123.123.123.123 -j ACCEPT

#IP subnet
-A INPUT -s 123.123.0.0/16 -j ACCEPT

Now you can make a block to deny

#Deny specific website
-A OUTPUT -p tcp -d www.twitter.com --dport 443 -j DROP
-A OUTPUT -p tcp -d twitter.com --dport 443 -j DROP

Deny bad peoples / spam hackers etc.. (real bad peoples so you can block these IP numbers)

## New blocked ##############
-A INPUT -s 193.201.9.156 -j DROP
-A INPUT -s 194.169.175.36 -j DROP
-A INPUT -s 194.169.175.35 -j DROP
-A INPUT -s 34.132.88.57 -j DROP
-A INPUT -s 85.209.11.27 -j DROP
-A INPUT -s 85.209.11.254 -j DROP
-A INPUT -s 85.209.11.227 -j DROP
-A INPUT -s 85.209.11.254 -j DROP
-A INPUT -s 85.209.11.1/24 -j DROP
-A INPUT -s 218.92.0.31 -j DROP
-A INPUT -s 180.97.193.137 -j DROP
-A INPUT -s 180.101.88.205 -j DROP
-A INPUT -s 180.101.88.197 -j DROP
-A INPUT -s 61.177.172.179 -j DROP
-A INPUT -s 14.103.42.189 -j DROP
-A INPUT -s 218.92.0.112 -j DROP
-A INPUT -s 218.92.0.24 -j DROP
-A INPUT -s 61.177.172.160 -j DROP
-A INPUT -s 193.201.9.156 -j DROP
-A INPUT -s 194.169.175.107 -j DROP

# DENY - MAIL HACK POP3
-A INPUT -s 119.188.157.200  -j DROP
-A INPUT -s 80.66.76.134  -j DROP
-A INPUT -s 167.94.145.99  -j DROP
-A INPUT -s 45.147.250.233  -j DROP
-A INPUT -s 45.156.129.61  -j DROP
-A INPUT -s 45.156.129.60  -j DROP
-A INPUT -s 147.185.132.210  -j DROP
-A INPUT -s 205.210.31.202  -j DROP
-A INPUT -s 87.236.176.79  -j DROP
-A INPUT -s 188.169.66.154  -j DROP
## End blocked ##############

After block with bad peoples you can allow connect to your server as DNS, pop3 etc

## DNS port 53
-A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

## Allowing All Incoming HTTP
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
## Allowing All Incoming HTTPS
-A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow send mail
-A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allowing All Incoming POP3
#-A INPUT -i eth0 -p udp -m udp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT

## Allowing All Incoming POP3S
-A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED -j ACCEPT

## Allowing All Incoming IMAPS
-A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT

## Allowing All Incoming IMAP
-A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Load IPTables rules

$ iptables-restore < /etc/iptables/iptables

# list of current rules 
$ iptables -L

# list of current rules with line numbers
$ iptables -L --line-numbers

Delete a specific rule from a chain. In this command the line numbers are used. The -D option stands for delete and at the end the rule number is mentioned you wish to remove:

$ iptables -D INPUT 6

To remove all rules in the iptables use the option -F means “flush all rules”:

$ iptables -F

^ Top

Previous page: Install Fail2ban on Debian 12
Next page: Installing and configuring Apache, PHP and Mysql in Debian 12