Current revision: 0.5
Last update: 2018-11-04 07:56:26 +0000 UTC
The fool doth think he is wise, but the wise man knows himself to be a fool.
W. Shakespeare , As You Like It - 1603 A.D.
This simple firewall configuration is specific to the Debian GNU/Linux distribution which is my default choice for Linux server deployments.
First install the
ipset tool using
$ sudo apt-get install ipset
Then create the file
/etc/iptables.rules using your favorite editor. Here is the most simple ruleset:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m set --match-set gr.zone src -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m set --match-set gr.zone src -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT
This ruleset allows connections from
gr.zone to ports 80 and 443 (HTTP and HTTPS). The
gr.zone is a collection of IP addresses originating from Greece but allows connections to port 22 from anywhere.
NOTE: That’s not my exact setup. I never run secure shell servers on default ports and I never use password authentication. The era of password-based SSH authentication has long gone!
Finally create the following file,
/etc/network/if-pre-up.d/iptables and copy paste the following:
#!/bin/sh # Greek IP Zone ipset -F gr.zone ipset -N gr.zone nethash for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/gr.zone) do ipset -A gr.zone $IP echo $IP done # Load firewall rules /sbin/iptables-restore < /etc/iptables.rules
Now turn this file into an executable:
$ sudo chmod +x /etc/network/if-pre-up.d/iptables
Now just restart the server. Debian will execute this file on every server restart, so you won’t have to worry about manually loading the firewall every time.
That’s it! You can substitude Greece (gr) with any other country zone code (e.g. de, uk, us, jp, cn, ca, etc)
ps. OpenBSD’s firewall, pf, can achieve the same result reading the list of IP addresses from a file. I found pf’s approach in the past a lot easier and way more readable that this.