Set up a firewall on Debian 9 using iptables

Iptables is the default firewall tool in older Debian distributions.

Having a functional firewall on the server is an essential step in security work. In this guide, we will create a basic firewall that you can later extend with your own rules. The guide assumes a newly installed Cloud VM running Debian 9. If you want to set up a firewall on Debian 11 or newer, we have a guide for that here: "Set up a firewall on Debian 11 or newer using nftables".

In this guide, we show you how to configure a firewall using iptables, which is typically included by default in older Debian releases.

Install the firewall service

To get started, you need to install the packages iptables-persistent and netfilter-persistent if you haven’t done so already. These allow you to save your rules and have them applied automatically at boot.

Start by updating the package repository:

Command

apt update

Installera iptables och netfilter-persistent med följande kommando:

Command

apt install netfilter-persistent iptables-persistent

During the installation, you will be asked whether you want to save the generated rules. Choose yes here. We will edit the rules shortly thereafter.

Create firewall rules

To get started as quickly as possible, we’ll copy and paste pre‑written firewall rules. Later in the guide, we’ll show you how to add new rules.

To add the firewall rules, edit the files /etc/iptables/rules.v4 and /etc/iptables/rules.v6 for IPv4 and IPv6 respectively.

Open the rules.v4 file in your text editor (use sudo if you’re not root).

Command

nano /etc/iptables/rules.v4

The file that opens contains something similar to this:

/etc/iptables/rules.v4

# Generated by iptables-save v1.6.0 on Fri Oct 26 12:20:01 2018
*raw
:PREROUTING ACCEPT [446:35987]
:OUTPUT ACCEPT [318:52605]
COMMIT
# Completed on Fri Oct 26 12:20:01 2018
...

Replace this with the following configuration. Be sure to insert your server’s IP address wherever it says <THE SERVER IPv4 ADDRESS>:

Modified /etc/iptables/rules.v4

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#default
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s <THE SERVER IPv4 ADDRESS>/32 -j ACCEPT
-A OUTPUT -d <THE SERVER IPv4 ADDRESS>/32 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# TRACEROUTE
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
#DNS OUT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#NTP OUT (time sync)
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
# SSH IN
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# allow http(s) in
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# allow http()s out
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
COMMIT

Save and close the file.

Restart netfilter-persistent to load the configuration (use sudo if you're not root):

Command

systemctl restart netfilter-persistent

Verify that iptables has loaded the configuration:

Command

iptables -L

You should get an output similar to this:

Output

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  <THE SERVER IPv4 ADDRESS>-static.glesys.net  anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpts:33434:33523
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             <THE SERVER IPv4 ADDRESS>-static.glesys.net
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpts:33434:33523
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset

We have now saved the rules in the file /etc/iptables/rules.v4, allowing iptables to use them.

Using the rules above, we permit incoming traffic for traceroute, ICMP (PING), SSH, HTTP, and HTTPS, and outgoing traffic for traceroute, HTTP, and HTTPS.

Thanks to iptables-persistent and netfilter-persistent, these settings will be loaded each time you reboot the server.

Adding rules for IPv6

If your server also has an IPv6 address, add the rules in the same way as above, but edit the file /etc/iptables/rules.v6. Be sure to replace <THE SERVER IPv6 ADDRESS> with your actual IP address.

/etc/iptables/rules.v6

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#default
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s <THE SERVER IPv6 ADDRESS>/128 -j ACCEPT
-A OUTPUT -d <THE SERVER IPv6 ADDRESS>/128 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
# TRACEROUTE
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
#DNS OUT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#NTP OUT (time sync)
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
# SSH IN
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# allow http(s) in
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# allow http()s out
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
COMMIT

Restart netfilter-persistent to load the configuration (use sudo if you're not root):

Command

systemctl restart netfilter-persistent

Add rules using the command line

You can add new rules either by editing /etc/iptables/rules.v4 or by inserting the rule directly from the command line.

In this example, we add a rule that allows outbound traffic on port 25 (SMTP) via the command line.

Enter the following (add sudo if you're not root):

Command

iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT

Verify that the rule was added by running:

Command

iptables -L

In the output you receive, you can see that the rule has been added (see the last line):

Output

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  one.one.one.one      anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpts:33434:33523
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             one.one.one.one
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpts:33434:33523
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp

Save the firewall settings by running the following command:

Command

iptables-save > /etc/iptables/rules.v4

When the server restarts, the settings will be loaded from /etc/iptables/rules.v4.

Summary

By following this guide—either by pasting your firewall rules directly into the configuration file or manually via commands—you’ll have a solid basic firewall setup. You’ll still need to add individual rules for each service you want to allow access to.

Note: When working with firewalls, be careful not to lock yourself out of the server by blocking SSH traffic (port 22 by default). If you lose access due to firewall settings, you may need to connect through the console to regain access. Once you’re connected via the console, you can modify your firewall rules to re‑allow SSH (or permit all traffic). If your saved firewall rules already allow SSH access, another option is simply to reboot the server. See our guide on how to reach your server via console mode.

PreviousSecure Active Directory with Windows Firewall NextSet up a firewall on Debian 11 or newer using nftables

Last updated 6 months ago

Was this helpful?