├── README.md ├── iptables-persistent ├── iptables-persistent.conf ├── ipv6_rules └── rules /README.md: -------------------------------------------------------------------------------- 1 | ![Maintenance](https://img.shields.io/maintenance/no/2015) 2 | 3 | iptables-persistent 4 | =================== 5 | 6 | This is a **fork** of Debian's *iptables-persistent* package that loads iptables rules using rules specified at `/etc/iptables/rules` 7 | 8 | **UPDATE 2018-05-27**: This is not maintained anymore and may or may not work with current Debian setups. Use at your own risk. 9 | 10 | **UPDATE 2014-09-20**: The *iptables-persistent* package in Debian **jessie** has significanlty changed compared to the previous version, and has somehow been renamed to *netfilter-persistent*. This script is not related to *netfilter-persistent* at all. 11 | 12 | This version is modified to **properly handle fail2ban's rules reloading** when starting/stopping/reloading iptables's rules via iptables-persistent (fail2ban inserts its own rules at the _beginning_ of iptables current ruleset when (re)started). If fail2ban is not installed, iptables-persistent will ignore any action related to file2ban. 13 | 14 | For **IPv6** enabled servers, ip6tables rules management is properly handled too, by activating the corresponding parameter in the configuration file (see below). 15 | 16 | An example set of rules is included as quickstart. It is pretty restrictive: forwarding is disabled and only DNS, ping and SSH are allowed inbound by default. **You MUST review it and edit it to suit your needs!**. 17 | 18 | ### Installation 19 | 20 | To use: 21 | 22 | * copy the init.d script `iptables-persistent` to `/etc/init.d/` and make it executable 23 | 24 | * copy `iptables-persistent.conf` to `/etc/default/iptables-persistent.conf` and **edit it to suit your needs** 25 | 26 | * copy `rules` to `/etc/iptables/rules` and **edit it to suit your needs** 27 | 28 | * copy `ipv6_rules` to `/etc/iptables/ipv6_rules` and **edit it to suit your needs** (you can copy this file even if you don't activate IPv6 support in the configuration, it will be ignored) 29 | 30 | * make iptables-persistent to be lauched at startup 31 | 32 | `update-rc.d iptables-persistent defaults` 33 | 34 | ### Configuration variables 35 | 36 | Edit `/etc/default/iptables-persistent.conf` to set the following parameters: 37 | 38 | * **SAVE_NEW_RULES** (default: 0) - if set different than 0 then the current iptables ruleset will be saved with iptables-save when iptables-persistent is stopped (or restarted) 39 | 40 | * **MODULES** (default: "") - a space-separated list of the modules that iptables-persistent should load/unload. Useful to activate FTP connection tracking for example. 41 | 42 | * **IPV6** (default: 0) - if set different than 0 it will additionnaly use ip6tables to handle the loading/unloading of the ruleset stored at `/etc/iptables/ipv6_rules` 43 | 44 | * **ENABLE_ROUTING** (default: 0) – if set different than 0 then routing is enabled (in `/proc/sys/net/ipv4/ip_forward` and `/proc/sys/net/ipv6/conf/all/forwarding`), otherwise it’s not. 45 | -------------------------------------------------------------------------------- /iptables-persistent: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ### BEGIN INIT INFO 3 | # Provides: iptables-persistent 4 | # Required-Start: mountkernfs $local_fs 5 | # Required-Stop: $local_fs 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: 0 1 6 8 | # X-Start-Before: $network 9 | # X-Stop-After: $network 10 | # Short-Description: Set up iptables rules 11 | ### END INIT INFO 12 | 13 | PATH="/sbin:/bin:/usr/sbin:/usr/bin" 14 | 15 | # Include config file for iptables-persistent 16 | . /etc/default/iptables-persistent.conf 17 | 18 | # Include lsb init functions 19 | . /lib/lsb/init-functions 20 | rc=0 21 | 22 | case "$1" in 23 | start) 24 | if [ -e /var/run/iptables ]; then 25 | log_warning_msg "iptables is already started!" 26 | exit 1 27 | else 28 | touch /var/run/iptables 29 | fi 30 | 31 | # if fail2ban is already running, stop it the time needed to load the new rules 32 | if [ -x /etc/init.d/fail2ban ]; then 33 | /etc/init.d/fail2ban stop 34 | fi 35 | 36 | log_action_begin_msg "Starting iptables" 37 | 38 | if [ $ENABLE_ROUTING -ne 0 ]; then 39 | # Enable Routing 40 | echo 1 > /proc/sys/net/ipv4/ip_forward 41 | log_action_cont_msg "IPv4 routing enabled" 42 | if [ $IPV6 -ne 0 ]; then 43 | echo 1 >/proc/sys/net/ipv6/conf/all/forwarding 44 | log_action_cont_msg "IPv6 routing enabled" 45 | fi 46 | fi 47 | 48 | if [ $MODULES ]; then 49 | # Load Modules 50 | modprobe -a $MODULES 51 | log_action_cont_msg "Modules $MODULES loaded" 52 | fi 53 | 54 | # Load saved rules 55 | if [ -f /etc/iptables/rules ]; then 56 | iptables-restore /etc/iptables/rules 98 | if [ $? -ne 0 ]; then 99 | rc=1 100 | fi 101 | log_action_cont_msg "IPv4 rules saved" 102 | 103 | if [ $IPV6 -ne 0 ]; then 104 | # Backup old rules 105 | cp /etc/iptables/ipv6_rules /etc/iptables/ipv6_rules.bak 106 | # Save new rules 107 | ip6tables-save >/etc/iptables/ipv6_rules 108 | if [ $? -ne 0 ]; then 109 | rc=1 110 | fi 111 | log_action_cont_msg "IPv6 rules saved" 112 | fi 113 | fi 114 | 115 | # Restore Default Policies 116 | iptables -P INPUT ACCEPT 117 | iptables -P FORWARD ACCEPT 118 | iptables -P OUTPUT ACCEPT 119 | 120 | # Flush rules on default tables 121 | iptables -F 122 | iptables -t nat -F 123 | iptables -t mangle -F 124 | 125 | if [ $IPV6 -ne 0 ]; then 126 | # Restore Default Policies 127 | ip6tables -P INPUT ACCEPT 128 | ip6tables -P FORWARD ACCEPT 129 | ip6tables -P OUTPUT ACCEPT 130 | 131 | # Flush rules on default tables 132 | ip6tables -F 133 | ip6tables -t mangle -F 134 | fi 135 | 136 | if [ $MODULES ]; then 137 | # Unload previously loaded MODULES 138 | modprobe -r $MODULES 139 | log_action_cont_msg "Modules $MODULES unloaded" 140 | fi 141 | 142 | # Disable Routing if enabled 143 | if [ $ENABLE_ROUTING -ne 0 ]; then 144 | # Disable Routing 145 | echo 0 > /proc/sys/net/ipv4/ip_forward 146 | log_action_cont_msg "IPv4 routing disabled" 147 | if [ $IPV6 -ne 0 ]; then 148 | echo 0 >/proc/sys/net/ipv6/conf/all/forwarding 149 | log_action_cont_msg "IPv6 routing disabled" 150 | fi 151 | fi 152 | 153 | log_action_end_msg $rc 154 | 155 | # start of fail2ban 156 | if [ -x /etc/init.d/fail2ban ]; then 157 | /etc/init.d/fail2ban start 158 | fi 159 | ;; 160 | 161 | restart|force-reload) 162 | $0 stop 163 | $0 start 164 | ;; 165 | 166 | status) 167 | echo "Filter Rules:" 168 | echo "--------------" 169 | iptables -L -v 170 | echo "" 171 | echo "NAT Rules:" 172 | echo "-------------" 173 | iptables -t nat -L -v 174 | echo "" 175 | echo "Mangle Rules:" 176 | echo "----------------" 177 | iptables -t mangle -L -v 178 | 179 | if [ $IPV6 -ne 0 ]; then 180 | echo "**********" 181 | echo "** IPV6 **" 182 | echo "**********" 183 | echo "Filter Rules:" 184 | echo "--------------" 185 | ip6tables -L -v 186 | echo "" 187 | echo "Mangle Rules:" 188 | echo "----------------" 189 | ip6tables -t mangle -L -v 190 | fi 191 | ;; 192 | 193 | *) 194 | echo "Usage: $0 {start|stop|force-stop|restart|force-reload|status}" >&2 195 | exit 1 196 | ;; 197 | esac 198 | 199 | exit 0 200 | -------------------------------------------------------------------------------- /iptables-persistent.conf: -------------------------------------------------------------------------------- 1 | # A basic config file for the /etc/init.d/iptable-persistent script 2 | # 3 | 4 | # Should new manually added rules from command line be saved on reboot? Assign to a value different that 0 if you want this enabled. 5 | SAVE_NEW_RULES=0 6 | 7 | # Modules to load: 8 | #MODULES="ip_conntrack_ftp" #example for ftp conntracking 9 | MODULES="" 10 | 11 | # Enable Routing? Assign to a value different that 0 if you want this enabled. 12 | ENABLE_ROUTING=0 13 | 14 | # Enable IPv6? Assign to a value different that 0 if you want this enabled. 15 | IPV6=0 16 | -------------------------------------------------------------------------------- /ipv6_rules: -------------------------------------------------------------------------------- 1 | *filter 2 | :INPUT ACCEPT [0:0] 3 | :FORWARD ACCEPT [0:0] 4 | :OUTPUT ACCEPT [0:0] 5 | 6 | # allow all loopback traffic 7 | -A INPUT -i lo -j ACCEPT 8 | 9 | # allow all ICMP traffic 10 | -A INPUT -p icmpv6 -j ACCEPT 11 | 12 | # Drop any tcp packet that does not start a connection with a syn flag. 13 | -A INPUT -p tcp ! --syn -m state --state NEW -j DROP 14 | # packets belonging to an established connection or related to one can pass 15 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 16 | # packets that are out-of-sequence are silently dropped 17 | -A INPUT -m state --state INVALID -j DROP 18 | 19 | # Allow incoming FTP 20 | #-A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT 21 | 22 | # Allow incoming SSH 23 | -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 24 | 25 | # Allow incoming HTTP 26 | #-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 27 | 28 | # Allow incoming HTTPS 29 | #-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT 30 | 31 | # Allow DNS 32 | #-A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT 33 | #-A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT 34 | #-A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT 35 | #-A INPUT -i eth0 -p udp --sport 53 -j ACCEPT 36 | 37 | # Log dropped packets 38 | -N LOGGING 39 | -A INPUT -j LOGGING 40 | -A LOGGING -p tcp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "iptables: [INPUT6 ][denied TCP] " --log-level 7 41 | -A LOGGING -p udp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "iptables: [INPUT6 ][denied UDP] " --log-level 7 42 | -A LOGGING -p icmp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "iptables: [INPUT6 ][denied ICMP] " --log-level 7 43 | -A INPUT -j REJECT 44 | 45 | # allow outgoing traffic, explicitly (despite chain policy) 46 | -A OUTPUT -j ACCEPT 47 | 48 | # disallow forwarded traffic, explicitly (despite chain policy) 49 | -A FORWARD -j REJECT 50 | 51 | COMMIT 52 | -------------------------------------------------------------------------------- /rules: -------------------------------------------------------------------------------- 1 | *nat 2 | :PREROUTING ACCEPT [0:0] 3 | :OUTPUT ACCEPT [0:0] 4 | :POSTROUTING ACCEPT [0:0] 5 | COMMIT 6 | 7 | *filter 8 | # Set default chain policies 9 | :INPUT ACCEPT [0:0] 10 | :FORWARD ACCEPT [0:0] 11 | :OUTPUT ACCEPT [0:0] 12 | 13 | # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 14 | -A INPUT -i lo -j ACCEPT 15 | -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT 16 | 17 | # Drop any tcp packet that does not start a connection with a syn flag. 18 | -A INPUT -p tcp ! --syn -m state --state NEW -j DROP 19 | 20 | # Accepts all established inbound connections 21 | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 22 | 23 | # Drop any invalid packet that could not be identified. 24 | -A INPUT -m state --state INVALID -j DROP 25 | 26 | # Blacklist (examples) 27 | #-A INPUT -i eth0 -s 198.51.100.1 -p tcp --dport 22 -j DROP # Example IP from RFC 5737 28 | #-A INPUT -i eth0 -s 203.0.113.34 -j DROP # Example IP from RFC 5737 29 | 30 | # Allow incoming FTP 31 | #-A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT 32 | 33 | # Allow incoming SSH 34 | -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT 35 | 36 | # Allow incoming HTTP 37 | #-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT 38 | 39 | # Allow incoming HTTPS 40 | #-A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT 41 | 42 | # Allow ping from inside to outside 43 | -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -j ACCEPT 44 | -A INPUT -i eth0 -p icmp --icmp-type echo-reply -m limit --limit 2/s -j ACCEPT 45 | 46 | # Allow ping from outside to inside 47 | -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT 48 | -A OUTPUT -o eth0 -p icmp --icmp-type echo-reply -j ACCEPT 49 | 50 | # Allow NTP 51 | #-A INPUT -i eth0 -p udp --dport 123 -j ACCEPT 52 | #-A OUTPUT -o eth0 -p udp --sport 123 -j ACCEPT 53 | 54 | # Allow DNS 55 | -A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT 56 | -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT 57 | -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT 58 | -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT 59 | 60 | # Log dropped packets 61 | -N LOGGING 62 | -A INPUT -j LOGGING 63 | -A LOGGING -p tcp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "iptables: [denied TCP] " --log-level 7 64 | -A LOGGING -p udp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "iptables: [denied UDP] " --log-level 7 65 | -A LOGGING -p icmp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "iptables: [denied ICMP] " --log-level 7 66 | 67 | # Reject all other inbound - default deny unless explicitly allowed policy: 68 | -A INPUT -j REJECT 69 | 70 | # Allow all other outbound traffic 71 | -A OUTPUT -j ACCEPT 72 | 73 | # Reject forwarded traffic, explicitely (despite chain policy) 74 | -A FORWARD -j REJECT 75 | 76 | COMMIT 77 | --------------------------------------------------------------------------------