LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-10-2014, 02:44 PM   #1
Ryanms3030
Member
 
Registered: Jan 2014
Distribution: Debian, Mint, CentOS, Ubuntu
Posts: 261

Rep: Reputation: Disabled
Is iptables installed by default on Debian?


I decided to set up a Debian server. I did an minimal install, the only software I chose to install during install was "SSH server" and "Standard system utilities"

I changed the port for SSH and I was trying to modify my iptables to reflect the port change but I can't find a iptables config. And when I try service iptables restart or start it doesn't recognize the service. I am guessing it's not installed by default? If not is it as easy as apt-get install iptables?
 
Old 02-10-2014, 03:00 PM   #2
redd9
Member
 
Registered: Nov 2013
Location: Canada
Distribution: Ubuntu
Posts: 80
Blog Entries: 4

Rep: Reputation: 42
Iptables is part of a minimal Debian install, so no worries there. However, it is quite a pain to configure. I would reccomend using a program callled Shorewall to do it for you. You can find a tutorial for how to use it here. https://wiki.debian.org/HowTo/shorewall
 
Old 02-10-2014, 03:02 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
iptables should already be installed on your Debian server. An init script for it is not provided, by default. I did an aptitude search and found a "boot time loader for iptables" (called 'iptables-persistent'), but I've never tried it out.

I build my ruleset from the command line (or a script), save it to a configuration file, and have it loaded at boot time using /etc/rc.local.

For instance, after your ruleset is active (in memory), create a new file using:
Code:
# iptables-save > /etc/iptables-rules
And add to /etc/rc.local:
Code:
/sbin/iptables-restore < /etc/iptables-rules
 
Old 02-10-2014, 03:34 PM   #4
Ryanms3030
Member
 
Registered: Jan 2014
Distribution: Debian, Mint, CentOS, Ubuntu
Posts: 261

Original Poster
Rep: Reputation: Disabled
Thanks for the suggestions. I was using CentOS for the server but it seems like configuring iptables is a bit different between CentOS and Debian.
 
Old 02-15-2014, 02:39 PM   #5
Ryanms3030
Member
 
Registered: Jan 2014
Distribution: Debian, Mint, CentOS, Ubuntu
Posts: 261

Original Poster
Rep: Reputation: Disabled
I am back to a fresh install of Debian on my server and trying to figure out the firewall. I have been back and forth between CentOS and Debian. On CentOS I have no problem manually editing the iptables config file but I can't seem to find that file on Debian. I installed Webmin and it seems like I can add rules there. right now all services are working: ssh on non standard port, samba, webmin web browser, samba swat web browser so I'm guessing there is no active firewall on the system since I haven't created exceptions for these.

Is webmin the best web gui to manage iptables or is there something better to use? I did try shorewall but I was a little confused to what it was actually doing. I would like to manage it in a gui and then be able to still pull up the iptables config file in the terminal and see what I have done.

How important is a firewall on my server? It sits behind my cable modem and router and I know those have firewalls. I am not currently serving up any services to the outside world. I would like to be able to ssh in from the outside and maybe have cloud storage
 
Old 02-15-2014, 03:13 PM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,064

Rep: Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894
Quote:
Originally Posted by Ryanms3030 View Post
How important is a firewall on my server? It sits behind my cable modem and router and I know those have firewalls.
Depends. Linux isn't as fragile as some other OSs, with respect to needing all ports closed. On the other hand, cable modems, routers, access points, etc, tend to have firewalls that are a bit suspect. Firstly, they don't tend to have a very fine level of control, second they can quite often be buggy, and thirdly, when they are buggy and in what is probably not the most frequent case those bugs get a fix, people don't tend to update the networking gear to advantage of the fixes. I'm sure there was going to be a fourthly, but I lost concentration...


Quote:
Originally Posted by Ryanms3030 View Post
On CentOS I have no problem manually editing the iptables config file but I can't seem to find that file on Debian. I installed Webmin and it seems like I can add rules there.
There isn't really an 'iptables config file'. Many people write, eg, a bash script to create the rule set, but that isn't necessary (but useful, if you need to do, eg, and maths on ip addresses, etc).

iptables-save and iptables-restore can be used, but you have to create the rule set in the first place before you can start copying them around.

The other very common option is to use some kind of GUI front end to create the rule set; there are a number of these (but, personally, i can't really say that I ever got on with them - I thought it was easier to learn iptables, but many people would disagree). Anyway, the repos for whatever distro you are using will probably have one or several of these.

webmin has, over time, also been fairly buggy. Now this isn't too bad if you ensure that you always update it promptly when updates are available, but many people don't, and this is bad. (That's probably a reasonable generic description of all the control-panel-type-thingies, not just webmin, and if you are going use a control panel, webmin almost certainly isn't the worst of them.)

Quote:
Originally Posted by Ryanms3030 View Post
ssh on non standard port...
Just be aware that ssh on a non-standard port isn't a particularly good security measure. Someone who can scan your server can find out the new ssh port in 30 seconds, so it does give you an extra 30 seconds, if that is important to you (that's a bit unfair - non-standard ports, along with other measures may be perfectly adequate, but if non-standard port as the only measure is likely to be worse than nothing, except against the more feeble of the script kiddies).

Edit:
And, to the question of the title, iptables is likely to be installed by default on almost any distro.

That then is that the kernel(s) will be configured to have the appropriate interfaces, but there won't be any rules. In this condition it is there, but it doesn't do anything. It doesn't do anything at all for you, without rules.

Last edited by salasi; 02-15-2014 at 03:18 PM.
 
Old 02-15-2014, 03:14 PM   #7
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I don't think Debian configures iptables to have any traffic blocked out of the box (i.e. iptables is configured to allow all traffic).. If you want a different behavior, you'll have to write the iptables rules yourself and find some way to load them at boot time. The method that anomie posted above is the one that I use on my own servers.

If you're already behind a different firewall, IMO, then having a packet filter on the box is less necessary. It still may be a good idea though in case (1) you want to protect the machine from other systems that are also behindthe upstream firewall and (2) defense in depth is usually a good idea.

I've never used webmin or any of the other GUI config tools. Writing iptables rules on the command line is not that difficult once you get over the initial learning curve (Google for iptables tutorial or similar). However, when first loading a ruleset, be sure you're someplace where you can physically get to the system consol, as it's possible to lock yourself out if you mess up the ruleset. I know because I've locked myself out of a few machines over the years...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Default Rule in Iptables winxlinx Linux - Networking 12 12-08-2011 03:42 AM
iptables DEFAULT POLICY lappen Linux - Newbie 8 02-23-2011 04:55 AM
I installed Wine and configure this at Debian 4.0 r1.I installed windows software hassancemk Linux - Software 2 04-02-2008 12:28 AM
default iptables tables debic Linux - Networking 2 09-11-2007 05:43 PM
iptables default setup thirumala Linux - Networking 2 04-05-2004 10:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration