An example Iptables rules file for your Raspberry Pi (and have it applied after each reboot)

Having an Iptables firewall rule set applied onto Raspbian/Debian is fairly easy. I'm trying to build something that is easy to manage, has a certain degree of default security applied, yet will allow that I can easily apply it onto several Raspberry Pi devices.
When adding rules to your running Iptables, they become lost each time you'd reboot or restart your firewall. So, I'm trying to overcome that.

First, let's start with my basic rule set file, which is build around a number of services that I need on my Raspberry Pi:

• SSH server
• OpenVPN server
• HTTP(S) server
• DNS server
• Samba server
• Transmission server

Of course, you can add and customize as much as you want, but here's my example iptables.rules.v4 file:

# Generated by iptables-save v1.6.0 on Sun Feb 18 13:27:56 2018
*nat
:PREROUTING ACCEPT [485:82476]
:INPUT ACCEPT [24:2229]
:OUTPUT ACCEPT [192:15907]
:POSTROUTING ACCEPT [192:15907]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -m comment --comment "Allow OpenVPN routing from source 10.8.0.0 to eth0" -j MASQUERADE
COMMIT
# Completed on Sun Feb 18 13:27:56 2018
# Generated by iptables-save v1.6.0 on Sun Feb 18 13:27:56 2018
*filter
:INPUT DROP [67:11459]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [687:299583]
:f2b-openvpn - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "Block null packets" -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m comment --comment "Block a syn-flood attack" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "Block Xmas packets" -j DROP
# localhost
-A INPUT -i lo -m comment --comment "Allow localhost traffic" -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 4711:4720 -m comment --comment "TODO" -j ACCEPT
# Established connections
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow all established inbound connections" -j ACCEPT
# DNS server
-A INPUT -p udp -m udp --dport 53 -m comment --comment "Allow DNS to this host from anywhere" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m comment --comment "Allow DNS to this host from anywhere" -j ACCEPT
# OpenVPN server
-A INPUT -p tcp -m multiport --dports 1194 -m comment --comment "Allow OpenVPN to this host from anywhere" -j f2b-openvpn
# SSH server
-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "Allow SSH to this host from anywhere" -j f2b-sshd
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ping to this host from anywhere" -j ACCEPT
# HTTP server
-A INPUT -p tcp -m tcp --dport 80 -m comment --comment "Allow HTTP to this host from anywhere" -j ACCEPT
# SSLH multiplexer
-A INPUT -p tcp -m tcp --dport 443 -m comment --comment "Allow HTTPS to this host from anywhere" -j ACCEPT
# SSH server
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow SSH to this host from anywhere" -j ACCEPT
# Samba server
-A INPUT -p tcp -m multiport --dports 139,445 -m comment --comment "Allow Samba to this host from anywhere" -j ACCEPT
-A INPUT -p udp -m multiport --dports 137,138 -m comment --comment "Allow Samba to this host from anywhere" -j ACCEPT
# Transmission server
-A INPUT -p tcp -m tcp --dport 9091 -m comment --comment "Allow Transmission to this host from anywhere" -j ACCEPT
# Reject rules
-A INPUT -m comment --comment "Reject all other inboud traffic, unless specified" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m comment --comment "Reject all other inboud traffic, unless specified" -j REJECT --reject-with icmp-port-unreachable
-A f2b-openvpn -j RETURN
-A f2b-sshd -j RETURN
COMMIT
# Completed on Sun Feb 18 13:27:56 2018

Would you be wanting to be more specific on the rules (e.g. SSH access), you can easily add a source IP to the rule to further limit access.

# SSH server
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m comment --comment "Allow SSH to this host from anywhere" -j ACCEPT

We will now be saving this file, so that Iptables can use if after each reboot or restart.

1. Make youself root:
   

   sudo -i

2. Go to the Iptables folder:
   

   cd /etc/iptables/

3. Create a backup of the default rule set:
   

   cp -rp rules.v4 rules.v4.ori

4. Edit the rules.v4 file with vi, remove all entries and paste the rule set listed above
   

   vi rules.v4

5. List your current Iptables rules:
   

   iptables -L

6. Import the new rule set:
   

   iptables-restore < /etc/rules.v4

7. List your Iptables rules again and you should see the new rule set applied:
   

   iptables -L

8. Make the rules survive a reboot by creating this pre-up file:
   

   vi /etc/network/if-pre-up.d/iptables

9. Add this content to the file:
   #!/bin/sh
   

   /sbin/iptables-restore < /etc/iptables.up.rules

10. Make the file executable:
    

    chmod +x /etc/network/if-pre-up.d/iptables

11. Reboot to test

If you later on want to add or change rules, you can change your rules.v4 file, or add them command line to your running configuration. Adding them to your rules.v4 file will make them persist. In the latter case, you'd have to dump the running configuration into your rules.v4 file by applying:

iptables-save > /etc/iptables/rules.v4