ajdurant - Andy Durant

Random notes and things

iptables - (part 1)

So today I started my endeavour into the wonderful world of iptables. I don’t think I’d be the first to say that there is a steep learning curve, at least to get the most out of what it can do.

The basic setup is fairly easy, open the ports you want to use, and reject everything else. But even getting that far has interesting twists and turns. Most of the rest of this post, if just going to be me documenting what I did for future reference, (and probably most posts on this blog will be too). But hey, if it means I learn something new, have it documented so I don’t forget, and can share some knowledge with the world, then that can’t be a bad thing =)

First Steps

First things first was finding out how to configure it. My server runs Debian Squeeze, and I have to say I am still fairly new to any linux. I like Debian as how it organises itself makes sense to me, so my first thought is to look for iptables in /etc/ however it’s not.

A quick google and I find myself in a wealth of iptables information, most of it (as usual when I’m googling Debian) out of date. So I find a useful iptables guide for sarge and get some basic stuff ready.


Iptables doesn’t remember its own settings, now on first looking at this I thought it was a little stupid, but then I realised that everything else only ‘remembers’ due to loading config files.

From sarge onwards there is no init.d file for iptables, this also seems a little backwards, but I can see the sense up until Squeeze’s dependancy loading (I know there are ways to manage this pre-Squeeze but Squeeze makes it simpler). Obviously you want your firewall to be up and running before your networking has connected, otherwise you’re going to be unprotected. So now, you load your configuration from within /etc/network/{if-pre-up.d,if-post-down.d}. Now for any hardened linux user building your own config scripts and stuff would be second nature, but to me and other newbies it may come as a surprise in Debian.

More on configuring iptables in part 2.