Firewall in Debian # nano /etc/firewall.sh # almost http://www.hut.fi/~tkarvine/firewall-iptables.html # cd /etc/init.d/ # ln -s ../firewall.sh firewall # update-rc.d firewall start 40 S . stop 89 0 6 . Adding system startup for /etc/init.d/firewall ... /etc/rc0.d/K89firewall -> ../init.d/firewall /etc/rc6.d/K89firewall -> ../init.d/firewall /etc/rcS.d/S40firewall -> ../init.d/firewall ... and now it should work... ### /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback pre-up iptables -P INPUT DROP # The primary network interface auto eth0 iface eth0 inet dhcp pre-up iptables -P INPUT DROP up /etc/init.d/firewall # Preup iptables is meant to stop networking if firwall script failed # to load. /etc/firewall.sh may need to run again if dhcp changes # /etc/resolv.conf And tested with # iptables -P INPUT ACCEPT # ifdown eth0 # ifup eth0 # iptables -L # Works, because INPUT policy is DROP again. #!/bin/sh # /etc/firewall.sh - Configurable per-host firewall for workstations and # servers.(c) 2003-2004 Tero Karvinen - tero karvinen at iki fi - GPL # 2004-11-30 Intergrating to Debian using /etc/network/interfaces # 2004-11-14 Add holes for nameservers. # About my network DNSSERVERS=`cat /etc/resolv.conf |awk -F\ '/nameserver/{print $2}'` # Cleanup old rules # All the time firewall is in a secure, closed state iptables -P INPUT DROP iptables -P FORWARD DROP iptables --flush # Flush all rules, but keep policies iptables --delete-chain ## Workstation Minimal firewall ### iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # for traceroute iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT for DNS in $DNSSERVERS do iptables -A INPUT --source $DNS -p tcp --dport 53 -j ACCEPT done # Drop outside X window system connections (in case high ports # are opened in holes) iptables -A INPUT -p tcp --dport 6000:6010 -j DROP ####### HOLES ####### Edit holes below, then run this script again #iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT #iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT #iptables -A INPUT -p tcp --dport ssh -j ACCEPT #iptables -A INPUT -p tcp --dport http -j ACCEPT #iptables -A INPUT -p tcp --dport https -j ACCEPT #iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #OpenVPN: #iptables -A INPUT -p udp --dport 1194 -j ACCEPT #iptables -A INPUT -i eth0 --destination 10.0.0.1/255.0.0.0 -j LOG #iptables -A INPUT -i eth0 --destination 10.0.0.1/255.0.0.0 -j DROP #iptables -A INPUT -i tun+ -j ACCEPT #iptables -A INPUT -i lo -j ACCEPT ##################### Edit above #iptables -A INPUT -j LOG -m limit --limit 40/minute iptables -A INPUT -j DROP echo "$0: Done."