Secure Your Server with Iptables Firewall

Iptables is a very popular firewall system for Linux that’s been around since the late 1990s. It’s a great way of keeping unwanted traffic away from your server.

In this guide, I’ll explain to you how you can secure your server by dropping all incoming traffic that you haven’t explicitly allowed.

The Rules

Accept loopback traffic

In order for your server to communicate with itself, you’ll need to accept loopback (127.0.0.1) traffic.

iptables -A INPUT -i lo -p all -j ACCEPT

Accept return traffic

Accept related and established traffic.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept incoming connections to specific ports

Open the ports for whatever services you’re running. At a minimum, you’ll need to open up the port for SSH, which is by default on port 22.

Accept SSH connections

iptables -I INPUT -p tcp --dport 22 -j ACCEPT

Accept HTTP connections

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

Accept HTTPS connections

iptables -I INPUT -p tcp --dport 443 -j ACCEPT

Drop policy

Set the policy to drop all incoming traffic that’s not explicitly permitted

iptables -P INPUT DROP

Iptables New Server Template

Here is the template I use for setting up new servers:

# Flush existing rules
iptables -F

# Accept loopback traffic
iptables -A INPUT -i lo -p all -j ACCEPT

# Accept return traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept SSH & HTTP traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Set default INPUT policy to DROP
iptables -P INPUT DROP

# Set default FORWARD policy to DROP
iptables -P FORWARD DROP

# Set default OUTPUT policy to ACCEPT
iptables -P OUTPUT ACCEPT

Make Iptables Persistent

Everytime that your server is restarted, all of the Iptables rules will be flushed and no longer exist.

One way to make the rules persistent is to use a package called iptables-persistent

apt-get update
apt-get install iptables-persistent

Every time that you modify the Iptables rules, if you want to make the changes persist after a reboot, you’ll need to save them.

iptables-save > /etc/iptables/rules.v4

Common Commands

List all of the rules

iptables -L

Flush (delete) all of the rules

iptables -F

Delete specific rule

Start off by listing all of the rules with line numbers.

iptables -L INPUT --line-numbers

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

In this example, if I wanted to delete the rule which permits HTTP traffic, I’d type:

iptables -D INPUT 4

Accept incoming ping requests

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Block a specific IP address

iptables -A INPUT -s "IP_ADDRESS_TO_BLOCK" -j DROP

Log dropped connection attempts

iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROPPED:" --log-level 7
iptables -A INPUT -j DROP

Log files will be stored in the following locations:

Ubuntu and Debian: /var/log/kern.log

CentOS/RHEL and Fedora: /var/log/messages

Did you find this guide useful? Are you having trouble and locked out of your server? Let us know in the comments below!