Home » Tag: iptables

Tag Archives: iptables

Home » Tag: iptables

What is Firewall?

What is Firewall?

What is Firewall?

What is Firewall?

A firewall is a network security device located between your internal network and the wider Internet. A firewall monitors incoming and outgoing network traffic – blocking or allowing it based on a set of configurable rules.

Firewalls are a fundamental piece of security and typically form the first line of defense on a network. Acting as a filter against bad connections from the outside world.

A firewall works by comparing the data sent into or out of the network against a list of rules. Based on the results of the rule checking, the firewall will then either block or allow the connection.

How Does Firewall Work?

Introduction

A firewall is a system that provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules. In general, the purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. In most server infrastructures, firewalls provide an essential layer of security that, combined with other measures, prevent attackers from accessing your servers in malicious ways.

This guide will discuss how firewalls work, with a focus on stateful software firewalls, such as iptables and FirewallD, as they relate to cloud servers. We’ll start with a brief explanation of TCP packets and the different types of firewalls. Then we’ll discuss a variety of topics that a relevant to stateful firewalls. Lastly, we will provide links to other tutorials that will help you set up a firewall on your own server.

TCP Network Packets

Before discussing the different types of firewalls, let’s take a quick look at what Transport Control Protocol (TCP) network traffic looks like.

TCP network traffic moves around a network in packets, which are containers that consist of a packet header—this contains control information such as source and destination addresses, and packet sequence information—and the data (also known as a payload). While the control information in each packet helps to ensure that its associated data gets delivered properly, the elements it contains also provides firewalls a variety of ways to match packets against firewall rules.

It is important to note that successfully receiving incoming TCP packets requires the receiver to send outgoing acknowledgment packets back to the sender. The combination of the control information in the incoming and outgoing packets can be used to determine the connection state (e.g. new, established, related) of between the sender and receiver.

Types of Firewalls

Let’s quickly discuss the three basic types of network firewalls: packet filtering (stateless), stateful, and application layer.

Packet filtering, or stateless, firewalls work by inspecting individual packets in isolation. As such, they are unaware of connection state and can only allow or deny packets based on individual packet headers.

Stateful firewalls are able to determine the connection state of packets, which makes them much more flexible than stateless firewalls. They work by collecting related packets until the connection state can be determined before any firewall rules are applied to the traffic.

Application firewalls go one step further by analyzing the data being transmitted, which allows network traffic to be matched against firewall rules that are specific to individual services or applications. These are also known as proxy-based firewalls.

In addition to firewall software, which is available on all modern operating systems, firewall functionality can also be provided by hardware devices, such as routers or firewall appliances. Again, our discussion will be focused on stateful software firewalls that run on the servers that they are intended to protect.

Firewall Rules

As mentioned above, network traffic that traverses a firewall is matched against rules to determine if it should be allowed through or not. An easy way to explain what firewall rules looks like is to show a few examples, so we’ll do that now.

Suppose you have a server with this list of firewall rules that apply to incoming traffic:

  1. Accept new and established incoming traffic to the public network interface on port 80 and 443 (HTTP and HTTPS web traffic)
  2. Drop incoming traffic from IP addresses of the non-technical employees in your office to port 22 (SSH)
  3. Accept new and established incoming traffic from your office IP range to the private network interface on port 22 (SSH)

Note that the first word in each of these examples is either “accept”, “reject”, or “drop”. This specifies the action that the firewall should do in the event that a piece of network traffic matches a rule. Accept means to allow the traffic through, reject means to block the traffic but reply with an “unreachable” error, and drop means to block the traffic and send no reply. The rest of each rule consists of the condition that each packet is matched against.

As it turns out, network traffic is matched against a list of firewall rules in a sequence, or chain, from first to last. More specifically, once a rule is matched, the associated action is applied to the network traffic in question. In our example, if an accounting employee attempted to establish an SSH connection to the server they would be rejected based on rule 2, before rule 3 is even checked. A system administrator, however, would be accepted because they would match only rule 3.

Default Policy

It is typical for a chain of firewall rules to not explicitly cover every possible condition. For this reason, firewall chains must always have a default policy specified, which consists only of an action (accept, reject, or drop).

Suppose the default policy for the example chain above was set to drop. If any computer outside of your office attempted to establish an SSH connection to the server, the traffic would be dropped because it does not match the conditions of any rules.

If the default policy were set to accept, anyone, except your own non-technical employees, would be able to establish a connection to any open service on your server. This would be an example of a very poorly configured firewall because it only keeps a subset of your employees out.

Incoming and Outgoing Traffic

As network traffic, from the perspective of a server, can be either incoming or outgoing, a firewall maintains a distinct set of rules for either case. Traffic that originates elsewhere, incoming traffic, is treated differently than outgoing traffic that the server sends. It is typical for a server to allow most outgoing traffic because the server is usually, to itself, trustworthy. Still, the outgoing rule set can be used to prevent unwanted communication in the case that a server is compromised by an attacker or a malicious executable.

In order to maximize the security benefits of a firewall, you should identify all of the ways you want other systems to interact with your server, create rules that explicitly allow them, then drop all other traffic. Keep in mind that the appropriate outgoing rules must be in place so that a server will allow itself to send outgoing acknowledgements to any appropriate incoming connections. Also, as a server typically needs to initiate its own outgoing traffic for various reasons—for example, downloading updates or connecting to a database—it is important to include those cases in your outgoing rule set as well.

Writing Outgoing Rules

Suppose our example firewall is set to drop outgoing traffic by default. This means our incoming accept rules would be useless without complementary outgoing rules.

To complement the example incoming firewall rules (1 and 3), from the Firewall Rules section, and allow proper communication on those addresses and ports to occur, we could use these outgoing firewall rules:

  1. Accept established outgoing traffic to the public network interface on port 80 and 443 (HTTP and HTTPS)
  2. Accept established outgoing traffic to the private network interface on port 22 (SSH)

Note that we don’t need to explicitly write a rule for incoming traffic that is dropped (incoming rule 2) because the server doesn’t need to establish or acknowledge that connection.

Firewall Software and Tools

Now that we’ve gone over how firewalls work, let’s take a look at common software packages that can help us set up an effective firewall. While there are many other firewall-related packages, these are effective and are the ones you will encounter the most.

Iptables

Iptables is a standard firewall included in most Linux distributions by default (a modern variant called nftables will begin to replace it). It is actually a front end to the kernel-level netfilter hooks that can manipulate the Linux network stack. It works by matching each packet that crosses the networking interface against a set of rules to decide what to do.

To learn how to implement a firewall with iptables, check out these links:

  • How To Set Up a Firewall Using IPTables on Ubuntu 14.04
  • How To Implement a Basic Firewall Template with Iptables on Ubuntu 14.04
  • How To Set Up an Iptables Firewall to Protect Traffic Between your Servers

UFW

UFW, which stands for Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall.

To learn more about using UFW, check out this tutorial: How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server.

FirewallD

FirewallD is a complete firewall solution available by default on CentOS 7 servers. Incidentally, FirewallD uses iptables to configure netfilter.

To learn more about using FirewallD, check out this tutorial: How To Configure FirewallD to Protect Your CentOS 7 Server.

If you’re running CentOS 7 but prefer to use iptables, follow this tutorial: How To Migrate from FirewallD to Iptables on CentOS 7.

Fail2ban

Fail2ban is an intrusion prevention software that can automatically configure your firewall to block brute force login attempts and DDOS attacks.

To learn more about Fail2ban, check out these links:

  • How Fail2ban Works to Protect Services on a Linux Server
  • How To Protect SSH with Fail2Ban on Ubuntu 14.04
  • How To Protect an Nginx Server with Fail2Ban on Ubuntu 14.04
  • How To Protect an Apache Server with Fail2Ban on Ubuntu 14.04

Conclusion

Now that you understand how firewalls work, you should look into implementing a firewall that will improve your security of your server setup by using the tutorials above.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. If you can’t start Windows Firewall or you are getting an error, use Microsoft free tool to diagnose and fix problems.

  • If you use a computer at home, the most effective and important first step you can take to help protect your computer is to turn on a firewall.
  • Windows 8, Windows 7, Windows Vista, and Windows XP SP2 or higher have a firewall built-in and turned on by default. (Note: Support for Windows XP ended in April 2014.)
  • If you have more than one computer connected in the home, or if you have a small-office network, it is important to protect every computer. You should have a hardware firewall (such as a router) to protect your network, but you should also use a software firewall on each computer to help prevent the spread of a virus in your network if one of the computers becomes infected.
  • If your computer is part of a business, school, or other organizational network, you should follow the policy established by the network administrator.

Automatically diagnose and fix problems with Windows Firewall

Follow these steps to automatically repair Windows Firewall problems:
 
    • Select the Download button on this page.
    • In the File Download dialog box, click Run or Open, and then follow the steps in the Windows Firewall Troubleshooter.
Notes
  • This troubleshooter might be in English only. However, the automatic fix also works for versions of Windows in other languages.
  • If you’re not on the computer that has the problem, save the troubleshooter to a flash drive or a CD, and then run it on the computer that has the problem.
Download
What it fixes
    • Windows Firewall isn’t the default firewall
    • Windows Firewall doesn’t start
    • Windows couldn’t start Windows Firewall (Service-specific error 5 (0x5))
    • Remote Assistance isn’t working because it’s blocked by Windows Firewall
    • You’re unable to access shared files and printers because sharing is blocked by Windows Firewall
    • BFE service is missing
    • Firewall won’t start (Error Code 80070424)
Runs on
    • Windows 7
    • Windows 8
    • Windows 8.1
    • Windows 10

What is a firewall?

A firewall is a network security device located between your internal network and the wider Internet. A firewall monitors incoming and outgoing network traffic – blocking or allowing it based on a set of configurable rules.

Firewalls are a fundamental piece of security and typically form the first line of defence on a network. Acting as a filter against bad connections from the outside world.

A firewall works by comparing the data sent into or out of the network against a list of rules. Based on the results of the rule checking, the firewall will then either block or allow the connection.

How does a firewall work?

Firewalls work by inspecting data packets (small chunks of data) against an internal list of rules. Here are some of the more common ones:

  • IP addresses – filter out traffic from suspicious IPs
  • Domain names – block traffic from known malicious domains
  • Ports – deny traffic trying to enter through a certain port
  • Contents – block data packets containing certain keywords

A firewall scans the contents of the packet and then determines whether to let it through based on the rules in place. On a typical network setup, all connections to the Internet flow through the firewall. Meaning it inspects all inbound or outgoing packets.

How does firewall inspection work?

The process of inspection involves comparing a packet’s contents against the firewall’s set of rules. Depending on if the rule is setup as a blacklist or whitelist, it will react differently to a match.

  • A blacklist rule will block any packets which match the criteria.
  • A whitelist rule will block any packets which don’t match the criteria.

A firewall’s rules are highly configurable. Meaning you can make the packet inspection process unique to your security setup. Here are some examples of how you could use custom firewall rules:

  • Creating a whitelist for your own company IP. Preventing any outsiders from accessing what’s behind the firewall.
  • Making a blacklist for the IP of a known malicious file server. Stopping it from distributing malware onto your network.
  • Creating a whitelist for certain domain extensions (.com, .co.uk .edu e.t.c.) on outgoing traffic. Blocking staff from accessing potentially dangerous sites.

Why are firewalls important?

Firewalls are often compared to a lock on the door to your network. But it might be more accurate to say that a firewall is the door.

Without a firewall in place, any connection can flow freely in or out of your network. Including connections from known malicious sources. This means you could experience unauthorised access to networked files. Leading to a data breach, malware infection or worse.

You need a firewall to filter out the bulk of malicious connections. And there’s a lot of malicious connections. One study found that within 52 seconds of being online, servers were being probed by hackers. With an average rate of 757 connection attempts per hour.

Are firewalls hardware or software?

Firewalls can be either a hardware appliance or a piece of software which runs on a machine. So, the answer is both.

Not helpful, I know.

But the main difference between the two is this:

  • Software firewalls tend to protect the individual machine it’s installed upon, typically a laptop or PC
  • Hardware firewalls usually protect many machines or an entire network.

What types of firewall are there?

Circuit-level

Circuit level firewalls are a type of firewall that monitors transmission control protocol (TCP) handshaking. It ensures that the communication between packets is legitimate and not malicious.

Stateful inspection

A firewall with stateful inspection considers the state of current connections when filtering packets. This means that the firewall can block the packet in one case but allowed in another. Depending on the current state of the connection.

Unified threat management (UTM)

Whilst technically not a type of firewall, UTM is instead an advanced security appliance which combines the security functions of many different security appliances. One of these being a firewall. We have an article explaining everything you need to know about UTM if you wish to learn more.

What is a next-generation firewall?

A next-generation firewall (NGFW) contains all the normal defences that a traditional firewall has and more. The most common additions are intrusion prevention software and application control. But certain vendors have other bonus security features. NGFWs are also capable of deep packet inspection which enables more robust filters.

Intrusion prevention software monitors network activity to detect and stop vulnerability exploits from occurring. This is usually done by monitoring for breaches against the network policies in place.

Application control software sets up a hard filter for programs that can send or receive data over the Internet. This can either be done by blacklist (blocks any programs in the filter) or by whitelist (blocks any programs not in the filter).

What is deep packet inspection?

Deep Packet Inspection (DPI) is a type of packet inspection which analyses the full contents of a data packet. Instead of only information in a packet’s header (where it is coming from and going to).

This enables DPI to filter out malicious packets, such as viruses and trojans, with better accuracy. As rather than only looking at the sender and destination, the packet’s contents can be used in filters as well.

This allows DPI to uncover a broader range of security threats because it will discover packets with a malicious payload but an innocuous header.

Where did the name firewall come from?

A final piece of trivia: the name firewall originated from the real-world application of fire partitions used in buildings. These would be walls that were implemented into a building to act as a barrier to stop fire spreading from one room to another.

The similarity between a fire spreading through a building and a computer virus spreading through a network prompted the same name to be adopted for the network device.

Firewall

Firewall

Firewall

What is Firewall?

A firewall is a network security device located between your internal network and the wider Internet. A firewall monitors incoming and outgoing network traffic – blocking or allowing it based on a set of configurable rules.

Firewalls are a fundamental piece of security and typically form the first line of defence on a network. Acting as a filter against bad connections from the outside world.

A firewall works by comparing the data sent into or out of the network against a list of rules. Based on the results of the rule checking, the firewall will then either block or allow the connection.

How does a firewall work?

Firewalls work by inspecting data packets (small chunks of data) against an internal list of rules. Here are some of the more common ones:

  • IP addresses – filter out traffic from suspicious IPs
  • Domain names – block traffic from known malicious domains
  • Ports – deny traffic trying to enter through a certain port
  • Contents – block data packets containing certain keywords

A firewall scans the contents of the packet and then determines whether to let it through based on the rules in place. On a typical network setup, all connections to the Internet flow through the firewall. Meaning it inspects all inbound or outgoing packets.

How does firewall inspection work?

The process of inspection involves comparing a packet’s contents against the firewall’s set of rules. Depending on if the rule is setup as a blacklist or whitelist, it will react differently to a match.

  • A blacklist rule will block any packets which match the criteria.
  • A whitelist rule will block any packets which don’t match the criteria.

A firewall’s rules are highly configurable. Meaning you can make the packet inspection process unique to your security setup. Here are some examples of how you could use custom firewall rules:

  • Creating a whitelist for your own company IP. Preventing any outsiders from accessing what’s behind the firewall.
  • Making a blacklist for the IP of a known malicious file server. Stopping it from distributing malware onto your network.
  • Creating a whitelist for certain domain extensions (.com, .co.uk .edu e.t.c.) on outgoing traffic. Blocking staff from accessing potentially dangerous sites.

Why are firewalls important?

Firewalls are often compared to a lock on the door to your network. But it might be more accurate to say that a firewall is the door.

Without a firewall in place, any connection can flow freely in or out of your network. Including connections from known malicious sources. This means you could experience unauthorised access to networked files. Leading to a data breach, malware infection or worse.

You need a firewall to filter out the bulk of malicious connections. And there’s a lot of malicious connections. One study found that within 52 seconds of being online, servers were being probed by hackers. With an average rate of 757 connection attempts per hour.

Are firewalls hardware or software?

Firewalls can be either a hardware appliance or a piece of software which runs on a machine. So, the answer is both.

Not helpful, I know.

But the main difference between the two is this:

  • Software firewalls tend to protect the individual machine it’s installed upon, typically a laptop or PC
  • Hardware firewalls usually protect many machines or an entire network.

What types of firewall are there?

Circuit-level

Circuit level firewalls are a type of firewall that monitors transmission control protocol (TCP) handshaking. It ensures that the communication between packets is legitimate and not malicious.

Stateful inspection

A firewall with stateful inspection considers the state of current connections when filtering packets. This means that the firewall can block the packet in one case but allowed in another. Depending on the current state of the connection.

Unified threat management (UTM)

Whilst technically not a type of firewall, UTM is instead an advanced security appliance which combines the security functions of many different security appliances. One of these being a firewall. We have an article explaining everything you need to know about UTM if you wish to learn more.

What is a next-generation firewall?

A next-generation firewall (NGFW) contains all the normal defences that a traditional firewall has and more. The most common additions are intrusion prevention software and application control. But certain vendors have other bonus security features. NGFWs are also capable of deep packet inspection which enables more robust filters.

Intrusion prevention software monitors network activity to detect and stop vulnerability exploits from occurring. This is usually done by monitoring for breaches against the network policies in place.

Application control software sets up a hard filter for programs that can send or receive data over the Internet. This can either be done by blacklist (blocks any programs in the filter) or by whitelist (blocks any programs not in the filter).

What is deep packet inspection?

Deep Packet Inspection (DPI) is a type of packet inspection which analyses the full contents of a data packet. Instead of only information in a packet’s header (where it is coming from and going to).

This enables DPI to filter out malicious packets, such as viruses and trojans, with better accuracy. As rather than only looking at the sender and destination, the packet’s contents can be used in filters as well.

This allows DPI to uncover a broader range of security threats because it will discover packets with a malicious payload but an innocuous header.

Where did the name firewall come from?

A final piece of trivia: the name firewall originated from the real-world application of fire partitions used in buildings. These would be walls that were implemented into a building to act as a barrier to stop fire spreading from one room to another.

The similarity between a fire spreading through a building and a computer virus spreading through a network prompted the same name to be adopted for the network device.

Linux Firewall

IPTABLES: The Default Linux Firewall

iptables

iptables

What is iptables?

iptables is the userspace command line program used to configure the Linux 2.4.x and later packet filtering ruleset. It is targeted towards system administrators.

Since Network Address Translation is also configured from the packet filter ruleset, iptables is used for this, too.

The iptables package also includes ip6tables. ip6tables is used for configuring the IPv6 packet filter.

iptables requires a kernel that features the ip_tables packet filter. This includes all 2.4.x and later kernel releases.

Main Features

  • listing the contents of the packet filter ruleset
  • adding/removing/modifying rules in the packet filter ruleset
  • listing/zeroing per-rule counters of the packet filter ruleset

iptables

iptables is a built-in firewall in Linux. It is a user based application for configuring the tables provided by the Linux kernel firewall. iptables is the default firewall installed with Red Hat, CentOS, Fedora Linux, etc. Different modules and programs are used for different protocols such as iptables for IPv4, ip6tables for IPv6 and so on. It uses the concept of IP addresses, protocols (tcp, udp, icmp, etc) and ports.
iptables is a command line firewall that uses the concept of chains to handle the network traffic. It places the rules into chains, i.e., INPUT, OUTPUT and FORWARD, which are checked against the network traffic. Decisions are made as to what to do with the packets based on these rules, i.e., whether the packet should be accepted or dropped. These actions are referred to as targets. DROP and ACCEPT are commonly used predefined targets used for dropping and accepting the packets, respectively.
The three predefined chains in the filter table to which rules are added for processing IP packets are:
INPUT: These are packets destined for the host computer.
OUTPUT: These are packets originating from the
host computer.
FORWARD: These packets are neither destined for nor originate from the host computer, but pass through (routed by) the host computer. This chain is used if you are using your computer as a router.
iptable architecture comprises groups of network packets, processing rules into tables and chains for processing the rules. Rules consist of matches to determine which packet the rule will apply to and the targets. They operate at the OSI layer, i.e., the network layer.

To verify the status of iptables, execute the following command:

service iptables status

To start and stop the iptables service, use the following command:

service iptables start / stop

To open the iptables file, execute the following command is:

gedit /etc/sysconfig/iptables

Syntax for executing iptable command:

iptables -A chain firewall-rule

To restart iptables use the following command:

service iptables restart

To add rules to the existing iptables to allow ssh, use the following command:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

You can verify modified set of rules by seeing /etc/sysconfig/iptables file

A few examples to make you comfortable with iptables
1. To allow HTTP traffic, use the following command:

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

2. To allow HTTPS traffic, use the following command:

iptables -A INPUT -s 9.9.9.9 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

3. To allow SSH traffic, use the following command:

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

4. To allow SNMP traffic, use the following command:

iptables -A INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT

5. To change the default chain policies, use these commands:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

6. To block 9.9.9.9, use:

iptables -A INPUT –s 9.9.9.9 -j DROP

7. To allow a ping from outside to inside/inside to outside, type:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Use Linux iptables to Manage IPv4 Traffic

The iptables Command

Many options can be used with the iptables command. As stated above, iptables sets the rules that control network traffic. You can define different tables to handle these rules through chains, lists of rules that match a subset of packets. The table contains a variety of built-in chains, but you can add your own.

Basic iptables Parameters and Syntax

Before we begin creating rules, let’s review the syntax of an iptables rule.

For example, the following command adds a rule to the beginning of the chain that will drop all packets from the address 198.51.100.0:

iptables -I INPUT -s 198.51.100.0 -j DROP

The sample command above:

  1. Calls the iptables program
  2. Uses the -I option for insertion. Using a rule with the insertion option will add it to the beginning of a chain and will be applied first. To indicate a specific placement in the chain, you may also use a number with the -I option.
  3. The -s parameter, along with the IP address (198.51.100.0), indicates the source.
  4. Finally, the -j parameter stands for jump. It specifies the target of the rule and what action will be performed if the packet is a match.
ParameterDescription
-p, --protocolThe protocol, such as TCP, UDP, etc.
-s, --sourceCan be an address, network name, hostname, etc.
-d, --destinationAn address, hostname, network name, etc.
-j, --jumpSpecifies the target of the rule; i.e. what to do if the packet matches.
-g, --goto chainSpecifies that the processing will continue in a user-specified chain.
-i, --in-interfaceNames the interface from where packets are received.
-o, --out-interfaceName of the interface by which a packet is being sent.
-f, --fragmentThe rule will only be applied to the second and subsequent fragments of fragmented packets.
-c, --set-countersEnables the admin to initialize the packet and byte counters of a rule.

Default Tables

Tables are made up of built-in chains and may also contain user-defined chains. The built-in tables will depend on the kernel configuration and the installed modules.

The default tables are as follows:

  • Filter – This is the default table. Its built-in chains are:
    • Input: packets going to local sockets
    • Forward: packets routed through the server
    • Output: locally generated packets
  • Nat – When a packet creates a new connection, this table is used. Its built-in chains are:
    • Prerouting: designating packets when they come in
    • Output: locally generated packets before routing takes place
    • Postrouting: altering packets on the way out
  • Mangle – Used for special altering of packets. Its chains are:
    • Prerouting: incoming packets
    • Postrouting: outgoing packets
    • Output: locally generated packets that are being altered
    • Input: packets coming directly into the server
    • Forward: packets being routed through the server
  • Raw – Primarily used for configuring exemptions from connection tracking. The built-in chains are:
    • Prerouting: packets that arrive by the network interface
    • Output: processes that are locally generated
  • Security – Used for Mandatory Access Control (MAC) rules. After the filter table, the security table is accessed next. The built-in chains are:
    • Input: packets entering the server
    • Output: locally generated packets
    • Forward: packets passing through the server

Basic iptables Options

There are many options that may be used with the iptables command:

OptionDescription
-A --appendAdd one or more rules to the end of the selected chain.
-C --checkCheck for a rule matching the specifications in the selected chain.
-D --deleteDelete one or more rules from the selected chain.
-F --flushDelete all the rules one-by-one.
-I --insertInsert one or more rules into the selected chain as the given rule number.
-L --listDisplay the rules in the selected chain.
-n --numericDisplay the IP address or hostname and post number in numeric format.
-N --new-chain <name>Create a new user-defined chain.
-v --verboseProvide more information when used with the list option.
-X --delete-chain <name>Delete the user-defined chain.

Insert, Replace or Delete iptables Rules

iptables rules are enforced top down, so the first rule in the ruleset is applied to traffic in the chain, then the second, third and so on. This means that rules cannot necessarily be added to a ruleset with iptables -A or ip6tables -A. Instead, rules must be inserted with iptables -I or ip6tables -I.

Insert

Inserted rules need to be placed in the correct order with respect to other rules in the chain. To get a numerical list of your iptables rules:

sudo iptables -L -nv --line-numbers

For example, let’s say you want to insert a rule into the basic ruleset provided in this guide, that will accept incoming connections to port 8080 over the TCP protocol. We’ll add it as rule 7 to the INPUT chain, following the web traffic rules:

sudo iptables -I INPUT 7 -p tcp --dport 8080 -m state --state NEW -j ACCEPT

If you now run sudo iptables -L -nv again, you’ll see the new rule in the output.

Replace

Replacing a rule is similar to inserting, but instead uses iptables -R. For example, let’s say you want to reduce the logging of denied entries to only 3 per minute, down from 5 in the original ruleset. The LOG rule is ninth in the INPUT chain:

sudo iptables -R INPUT 9 -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

Delete

Deleting a rule is also done using the rule number. For example, to delete the rule we just inserted for port 8080:

sudo iptables -D INPUT 7

Caution

Editing rules does not automatically save them. See our section on deploying rulesets for the specific instructions for your distribution.

View Your Current iptables Rules

IPv4:

sudo iptables -L -nv

IPv6:

sudo ip6tables -L -nv

On most distributions, iptables has no default rules for either IPv4 and IPv6. As a result, on a newly created Linode you will likely see what is shown below – three empty chains without any firewall rules. This means that all incoming, forwarded and outgoing traffic is allowed. It’s important to limit inbound and forwarded traffic to only what’s necessary.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Configure iptables

iptables can be configured and used in a variety of ways. The following sections will outline how to configure rules by port and IP, as well as how to blacklist (block) or whitelist (allow) addresses.

Block Traffic by Port

You may use a port to block all traffic coming in on a specific interface. For example:

iptables -A INPUT -j DROP -p tcp --destination-port 110 -i eth0

Let’s examine what each part of this command does:

  • -A will add or append the rule to the end of the chain.
  • INPUT will add the rule to the table.
  • DROP means the packets are discarded.
  • -p tcp means the rule will only drop TCP packets.
  • --destination-port 110 filters packets targeted to port 110.
  • -i eth0 means this rule will impact only packets arriving on the eth0 interface.

It is important to understand that iptables do not recognize aliases on the network interface. Therefore, if you have several virtual IP interfaces, you will have to specify the destination address to filter the traffic. A sample command is provided below:

iptables -A INPUT -j DROP -p tcp --destination-port 110 -i eth0 -d 198.51.100.0

You may also use -D or --delete to remove rules. For example, these commands are equivalent:

iptables --delete INPUT -j DROP -p tcp --destination-port 110 -i eth0 -d 198.51.100.0
iptables -D INPUT -j DROP -p tcp --destination-port 110 -i eth0 -d 198.51.100.0

Drop Traffic from an IP

In order to drop all incoming traffic from a specific IP address, use the iptables command with the following options:

iptables -I INPUT -s 198.51.100.0 -j DROP

To remove these rules, use the --delete or -D option:

iptables --delete INPUT -s 198.51.100.0 -j DROP
iptables -D INPUT -s 198.51.100.0 -j DROP

Block or Allow Traffic by Port Number to Create an iptables Firewall

One way to create a firewall is to block all traffic to the system and then allow traffic on certain ports. Below is a sample sequence of commands to illustrate the process:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m comment --comment "Allow loopback connections" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT
iptables -A INPUT -p tcp -m multiport --destination-ports 22,25,53,80,443,465,5222,5269,5280,8999:9003 -j ACCEPT
iptables -A INPUT -p udp -m multiport --destination-ports 53 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

Let’s break down the example above. The first two commands add or append rules to the INPUT chain in order to allow access on specific ports. The -p tcp and -p udp options specify either UDP or TCP packet types. The -m multiport function matches packets on the basis of their source or destination ports, and can accept the specification of up to 15 ports. Multiport also accepts ranges such as 8999:9003 which counts as 2 of the 15 possible ports, but matches ports 8999, 9000, 9001, 9002, and 9003. The next command allows all incoming and outgoing packets that are associated with existing connections so that they will not be inadvertently blocked by the firewall. The final two commands use the -P option to describe the default policy for these chains. As a result, all packets processed by INPUT and FORWARD will be dropped by default.

Note that the rules described above only control incoming packets, and do not limit outgoing connections.

Whitelist/Blacklist Traffic by Address

You can use iptables to block all traffic and then only allow traffic from certain IP addresses. These firewall rules limit access to specific resources at the network layer. Below is an example sequence of commands:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m comment --comment "Allow loopback connections" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -s 198.51.100.0 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

In the first command, the -s 192.168.1.0/24 statement specifies that all source IPs (-s) in the address space of 192.168.1 are allowed. You may specify an IP address range using CIDR (Classless Inter-Domain Routing) notation, or individual IP addresses, as in the second command. The third command allows all incoming and outgoing packets that are associated with existing connections. The final two commands set the default policy for all INPUT and FORWARD chains to drop all packets.

Use ip6tables to Manage IPv6 Traffic

When you’re working with IPv6, remember that the iptables command is not compatible. Instead, there is an ip6tables command. The options such as append, check, etc. are the same. The tables used by ip6tables are raw, security, mangle and filter. The parameters such as protocol, source, etc. are the same. The syntax is essentially the same as IPv4. Sample syntax is below:

ip6tables [-t table] -N chain

To view what rules are configured for IPv6, use the command:

ip6tables -L

Configure Rules for IPv6

ip6tables works by using ports, specific addresses for blacklisting, protocols and so forth. The primary difference is that ip6tables can use extended packet matching modules with the -m or match options, followed by the module name. Below are some of the extended modules:

  • addrtype – Matches packets based on their address type. Some of the address types are:
    • Local
    • Unicast
    • Broadcast
    • Multicast
  • ah – Matches the parameters in the authentication header of IPsec packets.
  • cluster – You can deploy gateway and backend load-sharing clusters without a load balancer.
  • comment – Allows you to add a comment to any rule.
  • connbytes – Matches by how many bytes or packets a connection has transferred, or average bytes per packet.

This is not intended to be a complete or comprehensive list. You may review the full list of extended modules by using the man page:

man ip6tables

Below is a sample rule used in ip6tables:

# limit the number of parallel HTTP requests to 16 for the link local network
ip6tables -A INPUT -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

This rule breaks down as follows:

  • The first line is a comment.
  • -A is for append.
  • INPUT is to add the rule to the table.
  • -p is for protocol, which is TCP.
  • --syn only matches TCP packets with the SYN bit set and the ACK, RST, and FIN bits cleared.
  • --dport is the destination port, which is 80.
  • -s is the source, which is the local address range fe80::/64.
  • -m is for match.
  • connlimit is the extended packet module name, which is connection limit.
  • --connlimit-above 16 means if the number of connections exceeds 16, only the first 16 will be used.
  • --connlimit-mask 64 means the group hosts are using a prefix length of 64.
  • -j is for jump, it tells the target of the rule what to do if the packet is a match.
  • REJECT means the packet is dropped.

Required Rules for Non-Static IPv6 Allocations

# Below are the rules which are required for your IPv6 address to be properly allocated
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT

Basic iptables Rulesets for IPv4 and IPv6

Appropriate firewall rules depend on the services being run. Below are iptables rulesets to secure your Linode if you’re running a web server.

Caution

These rules are given only as an example. A real production web server may require more or less configuration, and these rules would not be appropriate for a database, Minecraft or VPN server. Iptables rules can always be modified or reset later, but these basic rulesets serve as a demonstration.

IPv4

/tmp/v4
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

Optional: If you plan to use Longview or Linux’s NodeBalancers, add the respective rule after the section for allowing HTTP and HTTPS connections:

# Allow incoming Longview connections from longview.linode.com
-A INPUT -s 96.126.119.66 -m state --state NEW -j ACCEPT

# Allow incoming NodeBalancer connections
-A INPUT -s 192.168.255.0/24 -m state --state NEW -j ACCEPT

IPv6

If you would like to supplement your web server’s IPv4 rules with IPv6 as well, this ruleset will allow HTTP/S access and all ICMP functions.

/tmp/v6
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT

# Allow ICMP
-A INPUT -p icmpv6 -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

Note

APT attempts to resolve mirror domains to IPv6 as a result of apt-get update. If you choose to entirely disable and deny IPv6, this will slow down the update process for Debian and Ubuntu because APT waits for each resolution to time out before moving on.

To remedy this, uncomment the line precedence ::ffff:0:0/96 100 in /etc/gai.conf.

Deploy Your iptables Rulesets

The process for deploying iptables rulesets varies depending on which Linux distribution you’re using:

Debian / Ubuntu

UFW is the iptables controller included with Ubuntu, but it is also available in Debian’s repositories. If you prefer to use UFW instead of iptables, see our guide: How to Configure a Firewall with UFW.

  1. Create the files /tmp/v4 and /tmp/v6. Paste the above rulesets into their respective files.
  2. Import the rulesets into immediate use:
    sudo iptables-restore < /tmp/v4
    sudo ip6tables-restore < /tmp/v6
    
  3. To apply your iptables rules automatically on boot, see our section on configuring iptables-persistent.

CentOS / Fedora

CentOS 7 or Fedora 20 and above

In these distros, FirewallD is used to implement firewall rules instead of using the iptables command. If you prefer to use it over iptables, see our guide: Introduction to FirewallD on CentOS.

  1. If you prefer to use iptables, FirewallD must first be stopped and disabled.
    sudo systemctl stop firewalld.service && sudo systemctl disable firewalld.service
    
  2. Install iptables-services and enable iptables and ip6tables:
    sudo yum install iptables-services
    sudo systemctl enable iptables && sudo systemctl enable ip6tables
    sudo systemctl start iptables && sudo systemctl start ip6tables
    
  3. Create the files /tmp/v4 and /tmp/v6. Paste the rulesets above into their respective files.
  4. Import the rulesets into immediate use:
    sudo iptables-restore < /tmp/v4
    sudo ip6tables-restore < /tmp/v6
    
  5. Save each ruleset:
    sudo service iptables save
    sudo service ip6tables save
    
  6. Remove the temporary rule files:
    sudo rm /tmp/{v4,v6}
    

CentOS 6

  1. Create the files /tmp/v4 and /tmp/v6. Paste the rulesets above into their respective files.
  2. Import the rules from the temporary files:
    sudo iptables-restore < /tmp/v4
    sudo ip6tables-restore < /tmp/v6
    
  3. Save the rules:
    sudo service iptables save
    sudo service ip6tables save
    

    Note

    Firewall rules are saved to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables.
  4. Remove the temporary rule files:
    sudo rm /tmp/{v4,v6}
    

Arch Linux

  1. Create the files /etc/iptables/iptables.rules and /etc/iptables/ip6tables.rules. Paste the rulesets above into their respective files.
  2. Import the rulesets into immediate use:
    sudo iptables-restore < /etc/iptables/iptables.rules
    sudo ip6tables-restore < /etc/iptables/ip6tables.rules
    
  3. iptables does not run by default in Arch. Enable and start the systemd units:
    sudo systemctl start iptables && sudo systemctl start ip6tables
    sudo systemctl enable iptables && sudo systemctl enable ip6tables
    

    For more info on using iptables in Arch, see its Wiki entries for iptables and a simple stateful firewall.

Verify iptables Rulesets

Check your Linode’s firewall rules with the v option for a verbose output:

sudo iptables -vL
sudo ip6tables -vL

The output for IPv4 rules should show:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 REJECT     all  --  !lo    any     loopback/8           anywhere             reject-with icmp-port-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https state NEW
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables_INPUT_denied: "
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables_FORWARD_denied: "
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Output for IPv6 rules will look like this:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      lo     any     anywhere             anywhere
    0     0 REJECT     all      !lo    any     localhost            anywhere             reject-with icmp6-port-unreachable
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:http state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:https state NEW
    0     0 ACCEPT     all      any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 LOG        all      any    any     anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "ip6tables_INPUT_denied: "
    0     0 REJECT     all      any    any     anywhere             anywhere             reject-with icmp6-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all      any    any     anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "ip6tables_FORWARD_denied: "
    0     0 REJECT     all      any    any     anywhere             anywhere             reject-with icmp6-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Your firewall rules are now in place and protecting your Linode. Remember, you may need to edit these rules later if you install other packages that require network access.

Introduction to iptables-persistent

Ubuntu and Debian have a package called iptables-persistent that makes it easy to reapply your firewall rules at boot time. After installation, you can save all your rules in two files (one for IPv4 and one for IPv6). If you’ve already configured and applied iptables rules, iptables-persistent will detect them automatically and allow you to add them to the appropriate configuration file.

Install iptables-persistent

On Debian or Ubuntu use the following command to check whether iptables-persistent is already installed:

dpkg -l iptables-persistent

If dpkg returns that there are no matching packages, you will need to install the iptables-persistent package:

apt-get install iptables-persistent

During the installation, you will be prompted twice. The first prompt is asking if you would like to save your current IPv4 rules.

 

The second prompt is to save the rules configured for IPv6.

 

After the install is complete, you should see the iptables’s subdirectory. Run the ls /etc/iptables command again to verify that your output resembles the following:

rules.v4  rules.v6

Use iptables-persistent

To view what rules are already configured on your server:

iptables -L

You should see output similar to:

Chain INPUT (policy ACCEPT)
target      prot opt source         destination
DROP        all  --  198.51.100.0    anywhere

Chain FORWARD (policy ACCEPT)
target      prot opt source         destination

CHAIN OUTPUT (policy ACCEPT)
target      prot opt source         destination

The rules above allow anyone anywhere access to everything. If your output resembles this, you’ll need to set rules that prevent unauthorized access.

iptables-persistent Rules

Use the rules.v4 or rules.v6 files to add, delete or edit the rules for your server. These files can be edited using a text editor to function as a proxy, NAT or firewall. The configuration depends on the requirements of your server and what functions are needed. Below is a file excerpt from both the rules.v4 and rules.v6 files:

/etc/iptables/rules.v4
1
2
3
4
5
6
# Generated by iptables-save v1.4.14 on Wed Apr  2 13:24:27 2014
*security
:INPUT ACCEPT [18483:1240117]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17288:2887358]
COMMIT
/etc/iptables/rules.v6
1
2
3
4
5
6
7
# Generated by ip6tables-save v1.4.14 on Wed Apr  2 13:24:27 2014
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [27:2576]
:POSTROUTING ACCEPT [27:2576]
COMMIT

While some rules are configured in these files already, either file can be edited at any time. The syntax for altering table rules is the same as in the sections Configure iptables and Configuring Rules for IPv6.

Save iptables-persistent Rules Through Reboot

By default, iptables-persistent rules save on reboot for IPv4 only. Therefore, if you are running both IPv4 and IPv6 together you will need to manually edit both the rules.v4 and rules.v6 files. On older systems, iptables-save was used to write the changes to the rules file. Now that iptables-persistent is an option, do not use the iptables-save > /etc/iptables/rules.v4 or iptables-save > /etc/iptables/rules.v6 commands as any IPv6 changes will be overwritten by the IPv4 rules.

To enforce the iptables rules and ensure that they persist after reboot run dpkg-reconfigure and respond Yes when prompted. (If you ever edit your saved rules in the future, use this same command to save them again.)

dpkg-reconfigure iptables-persistent

To verify the rules are applied and available after the system reboot use the commands:

iptables -L
ip6tables -L

Network Lock-out

When you’re applying network rules, especially with both IPv4 and IPv6 and multiple interfaces, it is easy to lock yourself out. In the event you apply the rule and are unable to access your server, you may gain access through Lish in the Linode Manager. The following steps will guide you through using the graphical interface of your Linode to gain access to your server:

  1. Connect to your Linode Manager.
  2. Click on the Remote Access tab.
  3. Under the section entitled “Console Access,” click on the Launch Lish Console link.
  4. Login with your root or sudo user name and password.
  5. Remove any rules causing the connectivity issues.
  6. Log out of the Lish window.
  7. Attempt login via a regular SSH session.

This Lish console will function similarly to a regular SSH terminal session.

Troubleshooting: netfilter-persistent doesn’t come back up on reboot.

If you have upgraded to Debian 8 from an earlier version, you may see a situation where netfilter-persistent fails to start during boot when using the Linode kernel. The console output will show similar to:

[FAILED] Failed to start Load Kernel Modules.
See 'systemctl status systemd-modules-load.service' for details.
[DEPEND] Dependency failed for netfilter persistent configuration

You can also use journalctl -xn to see that systemd can not load the loop module:

systemd-modules-load[3452]: Failed to lookup alias 'loop': Function not implemented

To fix this, comment out the line loop in /etc/modules:

sed -i 's/loop/#loop/g' /etc/modules

Then restart netfilter-persistent:

systemctl restart netfilter-persistent

It should then be running fine. Confirm with:

systemctl status netfilter-persistent

This issue does not occur in new deployments of Debian 8 because the loop line isn’t present in /etc/modules.

Read More »