Gernot Walzl

Navigation

On Debian, iptables-restore is called on boot by installing the following package:

apt install iptables-persistent

IPv4

We set the default policy of the INPUT chain to DROP and
specify some rules, which are applied from top to bottom:

1. Incoming packages on the loopback interface lo are accepted.
2. ESTABLISHED connections or RELATED packages are accepted.
3. ICMP traffic (e.g. incoming ping requests) is allowed.
4. The number of SSH connection attempts is limited to 8 per 60 seconds.
   This slows down brute force password attacks significantly.
5. A web server needs incoming packages on port 80 (http) and port 443 (https) to be accepted.

/etc/iptables/rules.v4

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
-A INPUT -p tcp --dport 22 -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

COMMIT

Reload IPv4 rules

Restore rules from file:

iptables-restore < /etc/iptables/rules.v4

Verify loaded rules:

iptables -L

Network Address Translation (NAT)

The PREROUTING chain is used for port forwarding.

The rule in the POSTROUTING chain translates the source address of outgoing packages.
The reply will be forwarded by translating the destination address of incoming packages.
This is what ordinary IPv4 routers do.

Rules for the nat table are part of the iptables rules:

/etc/iptables/rules.v4

*filter
#...
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j MASQUERADE
COMMIT

Forwarding of IPv4 packages needs to be enabled in the kernel.
An interface for modifying kernel parameters is the proc file system.

echo 1 > /proc/sys/net/ipv4/ip_forward

A simplified command line tool for the proc file system is sysctl.
To make the change persistent over reboots, edit the following file:

/etc/sysctl.conf

#...

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

#...

IPv6

For IPv6, the following rules need to be added:

• ICMPv6 is required for IPv6 to work correctly.
• DHCPv6 needs incoming UDP packages on port 546 to be accepted.

/etc/iptables/rules.v6

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmpv6 -j ACCEPT

-A INPUT -p udp -s fe80::/10 --dport 546 -j ACCEPT

-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
-A INPUT -p tcp --dport 22 -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

COMMIT

Reload IPv6 rules

Restore rules from file:

ip6tables-restore < /etc/iptables/rules.v6

Verify loaded rules:

ip6tables -L

External Links

• https://netfilter.org/

CONTENT.html	source	2022-07-07	4.5 KB
clear_iptables_rules.sh	source	2022-05-01	1.8 KB
clear_iptables_rules.sh 2022-05-01 by Gernot Walzl
rules.v4		2020-05-03	496 B
rules.v6		2021-02-23	550 B