Home > Support > HOWTO List > Linux > IPTables

Securing Your Server: Setting up a Linux Firewall

A firewall is software that lets you manage network access to your server. The main low level command used to do this in linux is 'iptables'. (There is a newer nftables command that has a iptables compatibility layer so it can still be used like iptables.)

There are a number of frameworks that have been build around iptables, including Firewald (CentOS), and Uncomplicated Firewall aka UFW (Ubuntu).

You can also configure a firewall on your VPS using one of our optional hosting panels.

Before you decide to set up a firewall, please note...

mis-configuring a firewall can prevent you from accessing your own server. We provide direct console access for VPS customers in case you get stuck.
the very best way to prevent someone from accessing services on your VPS is to simply to not run those services
firewalls don't protect you from insecure services. Keep your server up to date (eg per Debian/Ubuntu and CentOS)
if you have multiple IPs or interfaces, you may need separate rules for each.

A basic firewall using Webmin

The Webmin interface in particular can be handy for this. We document practical steps here

Go to your Webmin control panel. Select "Networking" -> "Linux Firewall"
Webmin will create a new set of default rules for you, if you select the "Reset Firewall" button at the bottom.
Select the "Block all except SSH, IDENT, ping and high ports on interface" option.
The dropdown show read "eth0", change it to that if it is something else like bond0.
You don't need to enter anything in the input to the right of the "eth0" dropdown.

Save the settings as you go.

On the next page there will be a bunch of options, select "If protocol is TCP and destination port is ssh"
On the Edit Rule page, go down to the "Destination TCP or UDP port" option.
Change the option from equalling "22" to equalling "22,80,443,110,25,143,993,995,10000".
Add in whatever other ports you need, or remove ports you want to exclude.

Standard ports for different services:

22 ssh (remote access)
80 http (web)
443 https (web)
110 pop3 (email)
25 smtp (email)
587 submission (email)
143 imap (email)
993 imaps (email)
995 pop3s (email)
10000 webmin/virtualmin (remote access)

Save the settings as you go.

Click 'Add Rule'.
For Rule Comment set "Allow traceroutes". Action to Take is 'Accept'.
Set Network Protocol 'Equals' 'UDP'.
Set Destination TCP or UDP port 'Equals' 'Port Range' '33434' to '33523'
Click the 'Create' button.
Check that 'Activate at Boot' is Yes.
Hit Apply Configuration.

When you're done, you will have an /etc/sysconfig/iptables (or /etc/iptables.up.rules under debian) similar to this:

# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*nat
:PREROUTING ACCEPT [38:1868]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*mangle
:PREROUTING ACCEPT [353:47034]
:INPUT ACCEPT [353:47034]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [323:141426]
:POSTROUTING ACCEPT [323:141426]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
# Allow connections to unprivileged ports
-A INPUT -p tcp -m tcp --dport 1024:63353 -j ACCEPT
# Accept traceroutes
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
COMMIT
# Completed on Sat Sep 27 02:06:00 2003

Some more advanced topics are covered at Webmin: Linux Firewall

Managing the firewall manually

To prevent the rules being loaded on boot, on a CentOS/RHEL server use

chkconfig --del iptables

Under debian comment out or remove the line that triggers the rule file loading, from /etc/network/interfaces.

Firewall Locked You Out?

If you accidentally setup an iptable rule that locks you out of your RimuHosting VPS then you can enable the console-over-ssh feature and stop iptables from there, then re-setup your rules.

On your VPS command line, you should now be able to run iptables --list to get a listing of all the active rules.

# remove all the rules by stopping iptables:
/etc/init.d/iptables stop

Occasionally you may need to do disable that completely manually, especially if you are not using the iptables script, try the following commands to flush all the kernel rules tables (Thanks Lloyd)...

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -X
iptables -F

Some firewall frameworks

Uncomplicated FireWall (Debian/Ubuntu)
FirewallD (on CentOS)
Shorewall
iptables-persistent