How to Configure iptables Rules for apt-get Updates and Package Downloads on Linux


2 views

When your iptables rules drop all OUTPUT traffic by default (-P OUTPUT DROP), apt-get cannot establish new connections to download packages. The current rules only permit:

- Established connections on port 80 (inbound)
- Loopback interface traffic

Ubuntu/Debian repositories typically use these protocols:

  • HTTP (TCP 80): Default for most repositories
  • HTTPS (TCP 443): Encrypted package downloads
  • FTP (TCP 21): Some legacy repositories

Add these rules before your final DROP policies:

# Allow DNS resolution (critical for apt)
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --sport 53 -j ACCEPT

# HTTP/HTTPS package downloads
-A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow responses for established connections
-A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

After applying rules (sudo iptables-restore or sudo netfilter-persistent save), test with:

sudo apt-get update
sudo apt-get install -y netcat-openbsd  # Small test package

For stricter security, whitelist specific repositories:

# Allow only security.debian.org
-A OUTPUT -p tcp -d security.debian.org --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  • Check blocked packets: sudo iptables -vL
  • Test connectivity: curl -I http://archive.ubuntu.com
  • Monitor connections: sudo tcpdump -i any port 80 or port 443

When running sudo apt-get install commands with restrictive iptables rules, you'll encounter connection failures after the confirmation prompt. The error typically looks like:

Failed to fetch http://archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_115.0.3+build1-0ubuntu0.22.04.1_amd64.deb  
  Connection failed [IP: 91.189.91.38 80]

apt-get requires multiple network protocols to function properly:

  • HTTP/HTTPS (ports 80/443) for package downloads
  • DNS resolution (port 53) for repository hostnames
  • Sometimes FTP (port 21) for certain repositories

Here's the complete set of rules that will allow apt-get to work while maintaining security:

# Basic loopback acceptance
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# DNS resolution (UDP)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

# HTTP/HTTPS for package downloads
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# ICMP (ping) for network troubleshooting
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

To save these rules permanently on Ubuntu/Debian:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save
sudo netfilter-persistent reload

Verify your rules work with:

sudo iptables -L -v -n
sudo apt-get update
sudo apt-get install -y net-tools
  • Check /var/log/syslog for blocked packets
  • Use sudo iptables -L -v -n to monitor rule hits
  • Temporarily enable logging with iptables -A OUTPUT -j LOG for debugging