Step 1: Install iptables-persistent package with apt-get command.
# apt-get install iptables-persistent
On the menu, select Yes on the rule.v4 file. The second choice is about rule.v6 and IPv6 support, choose based on your needs.
Step 2: After the installation is done, go to:
[Replace vim with your favourite editor]
# vim /etc/iptables/rules.v4
Now you can see the existing iptables configuration, in my case since no rules are setup yet, it is completely empty:
# Generated by iptables-save v1.4.14 on Fri Dec 26 20:13:04 2014
*filter
:INPUT ACCEPT [5897:7430402]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1767:169364]
COMMIT
# Completed on Fri Dec 26 20:13:04 2014
Now you can start building your iptables on this file, one per line, just before the COMMIT command. Once you are done, save the file.
I would suggest to add at least the following rule, in order to validate our concept.
-A INPUT -p icmp -m icmp –icmp-type 8 -j REJECT
The above rule will filter inbound ICMP type 8 traffic and will respond with a
Destination port unreachable message and will take effect after you have rebooted the Pi.
Step 3: Feel free to do a ping to the device, it should respond normally. Now reboot the device.
# reboot
After the device is back on, do a ping request again. This time you should get the “Destination port unreachable” message. The iptables have loaded successfully, congratulations. Now, issue:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT icmp – anywhere anywhere icmp echo-request reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Our rule is on the third line. Now feel free to add the rest of the rules per Step 2.
Extra tip: In case you prefer adding the rules straight to iptables and not to the file, the following command may be useful:
# /etc/init.d/iptables-persistent save
This command takes the current configuration of your iptables and saves it to the rules.v4 file.