Work and Technology‎ > ‎Security‎ > ‎Firewalls‎ > ‎


Debian by default, comes without a firewall tool. It does however include iptables which is what all the firewall tools use under the hood. You do have your pick of tools and shorewall and ufw are well regarded. But most experienced debian admins have settled upon just learning and using iptables directly, with the convention of employing iptables-persistent to mange saving and loading rules at boot time.

Let's assume that we're going to allow the system and users on that system to initiate outbound connections without restrictions. While that is not the most secure, it good for flexibility and makes it so we only need to create inbound rules

# Install the tool for saving and loading rules
apt install iptables-persistent

# Clear any existing rules
iptables -F

## Some general rules
# Allow all localhost traffic so we can talk to our self
iptables -A INPUT -i lo -j ACCEPT

# Allow responses back to us as most traffic is two-way
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow responses to pings (if desired)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Drop any packets that are obviously invalid
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

## Application specific rules
# Allow SSH connections to destination port 22
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow connections from specific IPs to a specific port
iptables -A INPUT -p tcp -s --dport 2021 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
## Set the general defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Check that they look good and save
iptables -L -n
service netfilter-persistent save

You'll find your rules in
cat /etc/iptables/rules.v4

Why we use -m conntrack instead of state. -m means to match