Iptables is a very popular firewall system for Linux that's been around since the late 1990s. It's a great way of keeping unwanted traffic away from your server.
In this guide, I'll explain to you how you can secure your server by dropping all incoming traffic that you haven't explicitly allowed.
Accept loopback traffic
In order for your server to communicate with itself, you'll need to accept loopback (127.0.0.1) traffic.
sudo iptables -A INPUT -i lo -p all -j ACCEPT
Accept return traffic
Accept related and established traffic. You can read more about connection states here.
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept incoming connections to specific ports
Open the ports for whatever services you're running. At a minimum, you'll need to open up the port for SSH, which is by default on port 22.
Accept SSH connections
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
Accept HTTP connections
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Accept HTTPS connections
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
Set the policy to drop all incoming traffic that's not explicitly permitted
sudo iptables -P INPUT DROP
Iptables New Server Template
Here is the template I use for setting up new servers:
# Flush existing rules sudo iptables -F # Accept loopback traffic sudo iptables -A INPUT -i lo -p all -j ACCEPT # Accept return traffic sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept SSH & HTTP traffic sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Set default INPUT policy to DROP sudo iptables -P INPUT DROP # Set default FORWARD policy to DROP sudo iptables -P FORWARD DROP # Set default OUTPUT policy to ACCEPT sudo iptables -P OUTPUT ACCEPT
Make Iptables Persistent
Everytime that your server is restarted, all of the Iptables rules will be flushed and no longer exist.
One way to make the rules persistent is to use a package called iptables-persistent
sudo apt-get update sudo apt-get install iptables-persistent
Every time that you modify the Iptables rules, if you want to make the changes persist after a reboot, you'll need to save them.
sudo iptables-save > /etc/iptables/rules.v4
List all of the rules
sudo iptables -L
Flush (delete) all of the rules
sudo iptables -F
Delete specific rule
Start off by listing all of the rules with line numbers.
sudo iptables -L INPUT --line-numbers
Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 3 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 4 ACCEPT tcp -- anywhere anywhere tcp dpt:http
In this example, if I wanted to delete the rule which permits HTTP traffic, I'd type:
sudo iptables -D INPUT 4
Accept incoming ping requests
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
Block a specific IP address
sudo iptables -A INPUT -s "IP_ADDRESS_TO_BLOCK" -j DROP
Log dropped connection attempts
sudo iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROPPED:" --log-level 7 sudo iptables -A INPUT -j DROP
Log files will be stored in the following locations:
Ubuntu and Debian: /var/log/kern.log
CentOS/RHEL and Fedora: /var/log/messages
Did you find this guide useful? Are you having trouble and locked out of your server? Let us know in the comments below!