Secure Your Server with Iptables Firewall
Iptables is a very popular firewall system for Linux that’s been around since the late 1990s. It’s a great way of keeping unwanted traffic away from your server.
In this guide, I’ll explain to you how you can secure your server by dropping all incoming traffic that you haven’t explicitly allowed.
Accept loopback traffic
In order for your server to communicate with itself, you’ll need to accept loopback (127.0.0.1) traffic.
iptables -A INPUT -i lo -p all -j ACCEPT
Accept return traffic
Accept related and established traffic.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept incoming connections to specific ports
Open the ports for whatever services you’re running. At a minimum, you’ll need to open up the port for SSH, which is by default on port 22.
Accept SSH connections
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
Accept HTTP connections
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Accept HTTPS connections
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
Set the policy to drop all incoming traffic that’s not explicitly permitted
iptables -P INPUT DROP
Iptables New Server Template
Here is the template I use for setting up new servers:
# Flush existing rules iptables -F # Accept loopback traffic iptables -A INPUT -i lo -p all -j ACCEPT # Accept return traffic iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept SSH & HTTP traffic iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Set default INPUT policy to DROP iptables -P INPUT DROP # Set default FORWARD policy to DROP iptables -P FORWARD DROP # Set default OUTPUT policy to ACCEPT iptables -P OUTPUT ACCEPT
Make Iptables Persistent
Everytime that your server is restarted, all of the Iptables rules will be flushed and no longer exist.
One way to make the rules persistent is to use a package called iptables-persistent
apt-get update apt-get install iptables-persistent
Every time that you modify the Iptables rules, if you want to make the changes persist after a reboot, you’ll need to save them.
iptables-save > /etc/iptables/rules.v4
List all of the rules
Flush (delete) all of the rules
Delete specific rule
Start off by listing all of the rules with line numbers.
iptables -L INPUT --line-numbers
Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 3 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 4 ACCEPT tcp -- anywhere anywhere tcp dpt:http
In this example, if I wanted to delete the rule which permits HTTP traffic, I’d type:
iptables -D INPUT 4
Accept incoming ping requests
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
Block a specific IP address
iptables -A INPUT -s "IP_ADDRESS_TO_BLOCK" -j DROP
Log dropped connection attempts
iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROPPED:" --log-level 7 iptables -A INPUT -j DROP
Log files will be stored in the following locations:
Ubuntu and Debian: /var/log/kern.log
CentOS/RHEL and Fedora: /var/log/messages
Did you find this guide useful? Are you having trouble and locked out of your server? Let us know in the comments below!