Introduction:
If you set up iptables-persistent on Debian it allows your firewall rules to survive system reboots. This guide will walk you through the process of installing and configuring iptables-persistent, ensuring a secure and consistent network environment.
1. Purpose of the Script:
The purpose of this script is to simplify the deployment and initial configuration of iptables-persistent on a Debian-based system. It automates the process of installing iptables-persistent, creating rules based on user input for allowed hosts, ports, and protocols, and ensuring that the configured rules persist across reboots.
2. Creating the Script:
To create this script
#!/bin/bash
# Function to check if a command exists
command_exists() {
command -v "$1" >/dev/null 2>&1
}
# Function to install iptables-persistent
install_iptables_persistent() {
echo "Installing iptables-persistent..."
apt update
apt install -y iptables-persistent
}
# Function to enable iptables-persistent
enable_iptables_persistent() {
echo "Enabling iptables-persistent..."
systemctl enable netfilter-persistent
}
# Check if iptables-persistent is installed
if ! command_exists iptables-save; then
install_iptables_persistent
fi
# Check if iptables-persistent is running
if ! /etc/init.d/netfilter-persistent status | grep -q "active"; then
echo "Starting iptables-persistent service..."
/etc/init.d/netfilter-persistent start
fi
# User Input - Choosing Host Type and Providing Details
echo "Choose the type of host input:"
echo "1) single"
echo "2) subnet"
echo "3) file"
read -p "Enter your choice: " host_type
case $host_type in
1)
read -p "Enter the IP of the host (e.g., 10.0.1.1/32): " host
source_address="-s $host"
;;
2)
read -p "Enter the subnet (e.g., 10.0.1.0/24): " subnet
source_address="-s $subnet"
;;
3)
read -p "Enter the full path to the hosts file: " hosts_file
if [ -f "$hosts_file" ]; then
source_address="-s $(cat "$hosts_file" | tr 'n' ',')"
else
echo "Error: File not found. Exiting."
exit 1
fi
;;
*)
echo "Invalid choice. Exiting."
exit 1
;;
esac
# User Input - Ports and Protocol
read -p "Enter the port(s) you want to allow (comma-separated): " ports
echo "Choose the protocol:"
echo "1) tcp"
echo "2) udp"
echo "3) both"
read -p "Enter your choice: " protocol
# Proposed Rules
echo "Proposed rules:"
for p in $(echo $ports | tr ',' 'n'); do
case $protocol in
1)
echo "iptables -A INPUT -p tcp --dport $p $source_address -j ACCEPT"
;;
2)
echo "iptables -A INPUT -p udp --dport $p $source_address -j ACCEPT"
;;
3)
echo "iptables -A INPUT -p tcp --dport $p $source_address -j ACCEPT"
echo "iptables -A INPUT -p udp --dport $p $source_address -j ACCEPT"
;;
*)
echo "Invalid choice. Exiting."
exit 1
;;
esac
done
# User Confirmation
read -p "Is it OK to proceed? (y/n): " confirm
if [[ $confirm =~ ^[Yy]$ ]]; then
# Flush the current rules
iptables -F
# Set INPUT to DROP as default
iptables -P INPUT DROP
# Allow loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established and related incoming connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Add proposed rules to iptables
for p in $(echo $ports | tr ',' 'n'); do
case $protocol in
1)
iptables -A INPUT -p tcp --dport $p $source_address -j ACCEPT
;;
2)
iptables -A INPUT -p udp --dport $p $source_address -j ACCEPT
;;
3)
iptables -A INPUT -p tcp --dport $p $source_address -j ACCEPT
iptables -A INPUT -p udp --dport $p $source_address -j ACCEPT
;;
*)
echo "Invalid choice. Exiting."
exit 1
;;
esac
done
# Save rules to /etc/iptables/rules.v4
/etc/init.d/netfilter-persistent save
echo "Firewall rules applied successfully."
# Display current iptables rules
echo "Current iptables rules:"
iptables -nvL
else
echo "Exiting without making changes."
fifollow these steps:
- Open a text editor on your Debian-based system (e.g., nano or vim).
- Copy and paste the script into the editor.
- Save the script with an appropriate name, such as firewall_setup.sh.
- Make the script executable by running: chmod +x firewall_setup.sh.
3. Script Overview:
The script performs the following steps:
- Checks if iptables-persistent is installed, and installs it if not.
./firewall.sh
Installing iptables-persistent...
(...)
Unpacking iptables-persistent (1.0.15) ...
Setting up netfilter-persistent (1.0.15) ...
Setting up iptables-persistent (1.0.15) ...
update-alternatives: using /lib/systemd/system/netfilter-persistent.service to provide /lib/systemd/system/iptables.service (iptables.service) in auto mode
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u5) ...- Checks if iptables-persistent is running, and starts it if not.
- Asks the user for the type of host input (single host, subnet, or file containing multiple hosts).
Choose the type of host input:
1) single
2) subnet
3) file
Enter your choice: 2
Enter the subnet (e.g., 10.0.1.0/24): 10.0.1.0/24- Based on user input, gathers information about the source addresses (IP or subnet).
Enter the subnet (e.g., 10.0.1.0/24): 10.0.1.0/24- Prompts the user for the ports and protocol type (TCP, UDP, or both).
Enter the port(s) you want to allow (comma-separated): 22,80,443
Choose the protocol:
1) tcp
2) udp
3) both
Enter your choice: 1- Displays proposed rules based on user input.
Proposed rules:
iptables -A INPUT -p tcp --dport 22 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT- Asks the user for confirmation before applying the rules.
Is it OK to proceed? (y/n): y- Flushes existing rules and sets the default policy to DROP.
- Allows loopback traffic, established, and related connections.
- Adds user-specified rules to iptables.
- Saves rules to /etc/iptables/rules.v4.
Saving netfilter rules...run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
done.
Firewall rules applied successfully.- Displays the current iptables rules.
Current iptables rules:
Chain INPUT (policy DROP 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 80 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 10.0.1.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 10.0.1.0/24 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 10.0.1.0/24 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0This example demonstrates the user interaction, proposed rules, and the resulting iptables configuration.
Conclusion:
If you set up iptables-persistent, you ensure your firewall rules are maintained even after reboots, enhancing the security of your Debian system.
