Debian 10
iptables script
using systemd service
Execute with cron job after reboot
If you wish to add a new service to start when the machine boots you should add the necessary script to the directory /etc/init.d/.
Script to start iptables and fail2ban
As first go to /etc/init.d/ and create file firewall
cd /etc/init.d/
pico /etc/init.d/firewalladd this code to file
#! /bin/sh
# /etc/init.d/firewall
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start firewall at boot time
# Description: Enable firewall and fail2ban service.
# WARNING 1: Be sure file /etc/iptables exist
# WARNING 2: Be sure failban is installed on your server!
### END INIT INFO
#################################################################
prefix=iptables-
suffix=$(date +%d%m%Y) #+%d%m%Y day month year
case "$1" in
start)
echo ""
echo "Starting script firewall"
iptables-restore < /etc/iptables
echo "Your default firewall is running use 'iptables -L' to see if is everything OK"
echo ""
## BE sure failban is installed on your server
echo "To protect your server, we go run fail2ban"
/etc/init.d/fail2ban restart
echo ""
echo "Checking fail2ban with: iptables -L fail2ban-ssh --line-numbers "
iptables -L fail2ban-ssh --line-numbers
echo ""
;;
stop)
echo ""
echo "Stopping script firewall"
iptables -F
echo "use 'iptables -L' to see if your firewall is still ON"
echo ""
;;
save)
echo ""
echo "Save firewall rules"
iptables-save > /etc/iptables-$suffix
echo "File saved > /etc/$prefix-$suffix"
echo ""
;;
help)
echo ""
echo "Basis Help : script firewall using 'iptables'"
echo "Edit firewall rules : 'pico /etc/iptables'"
echo "Start firewall with default file : 'iptables-restore < /etc/iptables'"
echo "Save firewall rules to default file : 'iptables-save > /etc/iptables-old+date'"
echo "Check if firewall is ON : 'iptables -L' or 'iptables -L -n -v'"
echo "Clear /Flush or empty firewall rulles : 'iptables -F'"
echo "Example how to block one IP number : '-A INPUT -s 123.123.123.123 -j DROP'"
echo "More examples in default iptables file : '/etc/iptables'"
echo "Type 'iptables -h' : for more help"
echo ""
echo "To see if someone is blacklisted with fail2ban run: iptables -L fail2ban-ssh --line-numbers "
echo "To see see status run /etc/init.d/fail2ban status"
echo "To restart fail2ban use /etc/init.d/fail2ban restart"
echo "To change fail2ban rules edit /etc/fail2ban/jail.conf file"
echo ""
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop|save|help}"
exit 1
;;
esac
exit 0
When you've saved your file make sure that it's executable by running chmod 755 /etc/init.d/firewall.
chmod 755 /etc/init.d/firewallThen add symbolic link.
update-rc.d firewall defaults
on older Debian Versions you can use
insserv firewallYou can also run this script manually
/etc/init.d/firewall startUsing systemd service
You can also use systemd and create service for your script
Create now new file myfirewal.service in the folder /etc/systemd/system/
pico /etc/systemd/system/myfirewal.serviceadd this code to file
[Unit]
Description=Start Firewall on boot
After=network.target auditd.service
[Service]
Type=simple
User=root
Group=root
ExecStart=/etc/init.d/firewall start
[Install]
WantedBy=multi-user.target
Alias=myfirewal.service
When the configuration file is saved, reload the systemd daemon to ensure it picks up the new configuration file. Note: After creating or modifying service files, you need to run systemctl daemon-reload.
systemctl daemon-reloadThen the enable your new service to start up on reboot , ( you use this just once)
systemctl enable myfirewal.serviceand start the service to see if this work
systemctl start myfirewal.serviceuse this to see if your firewall is running
iptables -Lto stop firewall use
iptables -Fnow try again your new script using systemctl start myfirewal.service and reboot to see if this work...
Links:
systemd.service - Service unit configuration - freedesktop.org
systemd Services - debian.org
iptables - debian.org
iptables HOWTO - netfilter.org
see also nftables - debian.org
nftables HOWTO - nftables.org
Previous page: Change the SSH port
Next page: Enable rc.local shell script