Secure Your Server with Iptables Firewall

Secure Your Server with Iptables Firewall

comments

Iptables is a very popular firewall system for Linux that's been around since the late 1990s. It's a great way of keeping unwanted traffic away from your server.

In this guide, I'll explain to you how you can secure your server by dropping all incoming traffic that you haven't explicitly allowed.

The Rules

Accept loopback traffic

In order for your server to communicate with itself, you'll need to accept loopback (127.0.0.1) traffic.

sudo iptables -A INPUT -i lo -p all -j ACCEPT

Accept return traffic

Accept related and established traffic. You can read more about connection states here.

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept incoming connections to specific ports

Open the ports for whatever services you're running. At a minimum, you'll need to open up the port for SSH, which is by default on port 22.

Accept SSH connections

sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT

Accept HTTP connections

sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT

Accept HTTPS connections

sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT

Drop policy

Set the policy to drop all incoming traffic that's not explicitly permitted

sudo iptables -P INPUT DROP

Iptables New Server Template

Here is the template I use for setting up new servers:

# Flush existing rules
sudo iptables -F

# Accept loopback traffic
sudo iptables -A INPUT -i lo -p all -j ACCEPT

# Accept return traffic
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept SSH & HTTP traffic
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Set default INPUT policy to DROP
sudo iptables -P INPUT DROP

# Set default FORWARD policy to DROP
sudo iptables -P FORWARD DROP

# Set default OUTPUT policy to ACCEPT
sudo iptables -P OUTPUT ACCEPT

Make Iptables Persistent

Everytime that your server is restarted, all of the Iptables rules will be flushed and no longer exist.

One way to make the rules persistent is to use a package called iptables-persistent

sudo apt-get update
sudo apt-get install iptables-persistent

Every time that you modify the Iptables rules, if you want to make the changes persist after a reboot, you'll need to save them.

sudo iptables-save > /etc/iptables/rules.v4

Common Commands

List all of the rules

sudo iptables -L

Flush (delete) all of the rules

sudo iptables -F

Delete specific rule

Start off by listing all of the rules with line numbers.

sudo iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

In this example, if I wanted to delete the rule which permits HTTP traffic, I'd type:

sudo iptables -D INPUT 4

Accept incoming ping requests

sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Block a specific IP address

sudo iptables -A INPUT -s "IP_ADDRESS_TO_BLOCK" -j DROP

Log dropped connection attempts

sudo iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROPPED:" --log-level 7
sudo iptables -A INPUT -j DROP

Log files will be stored in the following locations:

Ubuntu and Debian: /var/log/kern.log

CentOS/RHEL and Fedora: /var/log/messages

Did you find this guide useful? Are you having trouble and locked out of your server? Let us know in the comments below!