Accueil > Sécurité, Système > Make the configuration of iptables persistent (Debian)

Make the configuration of iptables persistent (Debian)

22/03/2017 Categories: Sécurité, Système Tags: , , , ,
Print Friendly

Objective

To make the configuration of iptables persistent on a Debian-based system

Background

The iptables and ip6tables commands can be used to instruct Linux to perform functions such as firewalling and network address translation, however the configuration that they create is non-persistent so is lost whenever the machine is rebooted. For most practical applications this is not the desired behaviour, so some means is needed to reinstate the configuration at boot time.

For security, the iptables configuration should be applied at an early stage of the bootstrap process: preferably before any network interfaces are brought up, and certainly before any network services are started or routing is enabled. If this is not done then there will be a window of vulnerability during which the machine is remotely accessible but not firewalled.

Scenario

Suppose you have a machine that you wish to protect using a firewall. You have written iptables and ip6tables rulesets, and wish to install them so that they will remain active if the machine is rebooted.

Method

Overview

The method described here has three steps:

  1. Install the iptables-persistent package.
  2. Place the required rulesets in the /etc/iptables directory.
  3. Start the iptables-persistent service.

The second and third steps can be repeated whenever there is a need to change one or both of the rulesets.

Install the iptables-persistent package

On recent Debian-based systems the iptables configuration can be made persistent using the iptables-persistent package:

apt-get install iptables-persistent

This package first became available in Debian (Squeeze) and Ubuntu (Lucid).

Place the required rulesets in the /etc/iptables directory

Recent versions of iptables-persistent have two configuration files:

  • /etc/iptables/rules.v4 for the IPv4 ruleset, and
  • /etc/iptables/rules.v6 for the IPv6 ruleset.

These pathnames are correct from version 0.5 of iptables-persistent onwards, corresponding to Debian (Wheezy) and Ubuntu (Oneiric). Prior to that, the IPv4 ruleset was located at /etc/init.d/rules(no suffix). IPv6 support was unavailable prior to version 0.0.20101230, corresponding to Debian (Wheezy) and Ubuntu (Natty).

The ruleset files should be in a format suitable for use by the iptables-restore or ip6tables-restorecommand as appropriate. Here is an example for configuring the IPv4 filter table:

# Generated by iptables-save v1.4.8 on Thu Jan 12 21:54:29 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27:3068]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Jan 12 21:54:29 2012

The required format of this file does not appear to be well-documented, although a partial description can be found in the Iptables Tutorial. Fortunately there are alternatives to writing it from scratch:

  • Recent versions of iptables-persistent offer to create the files from the current live configuration when the package is installed. You can arrange for this offer to be repeated using the dpkg-reconfigure command.
  • You can achieve the same effect more directly using the iptables-save and ip6tables-save commands, for example:
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Start the iptables-persistent service

The iptables-persistent must be started or restarted for it to have an effect on the live configuration. In practice it should rarely be necessary to request this explicitly:

  • If the rulesets were constructed from the current live configuration then there is no immediate need for iptables-persistent to do anything, because the stored and live configurations are already in agreement.
  • The iptables-persistent service automatically starts when the system is rebooted.

You will need to explicitly start the service if you provide the rulesets by some other means:

service iptables-persistent start

Note that the versions of this package included with Squeeze, Lucid and Maverick respond only to start and not to restartreload or force-reload. This has since been fixed.

Les commentaires sont fermés.