Start or Stop Iptables Firewall on Debian Linux

I have been given the task at work of configuring the firewalls for a client with a large network and various servers. The system has a lot of security implemented which requires specific control of users, subnetworks, and who has access rights to certain network and internet resources.

Configuring a single computer is relatively easy, and you can find many guides on the net, but I was curious to see that on some Ubuntu/Debian based forums and blogs, people were treating iptables as a service which it most certainly isn’t. There appears to be some confusion between Debian, Redhat, and derivatives (Ubuntu, Fedora, CentOS etc).

Difference between Redhat and Debian
Redhat, Fedora, CentOS do have a script in /etc/init.d which allows you to {save|stop} the iptables configuration, and I believe some people were mistakenly trying to apply it to Debian based systems. That’s not to say that you couldn’t create a Start/Stop script, but it doesn’t come as standard.

Iptables is a command, not a service
Iptables is a command to manipulate the netfilter kernel firewall. Just as modprobe will allow you to load a kernel module, but you can’t /etc/init.d/modprobe start, or service modprobe start. Iptables works the same. It issues, saves, removes commands.

To get Iptables:
sudo apt-get install iptables

Or see if it is already installed:
dpkg -l | grep iptables

How to Enable/Start/Configure Iptables (as root):
Create an empty firewall.rules file that can be manually configured by issuing commands via the terminal and then saving again.
iptables-save > /root/firewall.rules
and/or
iptables-restore < /root/firewall.rules

Now issue these commands as root sequentially:
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Save your config:
Once you have issued them, save them to firewall.rules with the same command you used to create the file.
iptables-save > /root/firewall.rules

Now you can check to see if the rules file is no longer empty:
vim /root/firewall.rules

Which should give you something like this:(A completely open Firewall)
# Generated by iptables-save v1.4.8 on Wed Oct 27 09:40:48 2010
*mangle
:PREROUTING ACCEPT [106:16689]
:INPUT ACCEPT [79:11460]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [59:9812]
:POSTROUTING ACCEPT [65:10676]
COMMIT
# Completed on Wed Oct 27 09:40:48 2010
# Generated by iptables-save v1.4.8 on Wed Oct 27 09:40:48 2010
*nat
:PREROUTING ACCEPT [46:8205]
:POSTROUTING ACCEPT [14:1382]
:OUTPUT ACCEPT [14:1382]
COMMIT
# Completed on Wed Oct 27 09:40:48 2010
# Generated by iptables-save v1.4.8 on Wed Oct 27 09:40:48 2010
*filter
:INPUT ACCEPT [30:6110]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:4552]
COMMIT
# Completed on Wed Oct 27 09:40:48 2010

This is just a basic first step to setting up iptables manually. At work we have a template firewall script that runs from RC2.d at boot on our clients’ and our office servers, and is approximately 250 lines long.

Documentation on the web:
http://www.netfilter.org/
http://www.netfilter.org/projects/iptables/index.html
http://www.netfilter.org/documentation/index.html#documentation-howto

Advertisements

2 thoughts on “Start or Stop Iptables Firewall on Debian Linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s