A firewall is software that lets you manage network access to your server. The main low level command used to do this in linux is 'iptables'. (There is a newer nftables command that has a iptables compatibility layer so it can still be used like iptables.)
There are a number of frameworks that have been build around iptables, including Firewald (CentOS), and Uncomplicated Firewall aka UFW (Ubuntu).
You can also configure a firewall on your VPS using one of our optional hosting panels.
Before you decide to set up a firewall, please note...
The Webmin interface in particular can be handy for this. We document practical steps here
Save the settings as you go.
Standard ports for different services:
Save the settings as you go.
When you're done, you will have an /etc/sysconfig/iptables (or /etc/iptables.up.rules under debian) similar to this:
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*nat
:PREROUTING ACCEPT [38:1868]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*mangle
:PREROUTING ACCEPT [353:47034]
:INPUT ACCEPT [353:47034]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [323:141426]
:POSTROUTING ACCEPT [323:141426]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
# Allow connections to unprivileged ports
-A INPUT -p tcp -m tcp --dport 1024:63353 -j ACCEPT
# Accept traceroutes
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
Some more advanced topics are covered at Webmin: Linux Firewall
To prevent the rules being loaded on boot, on a CentOS/RHEL server use
chkconfig --del iptables
Under debian comment out or remove the line that triggers the rule file loading, from /etc/network/interfaces.
If you accidentally setup an iptable rule that locks you out of your RimuHosting VPS then you can enable the console-over-ssh feature and stop iptables from there, then re-setup your rules.
On your VPS command line, you should now be able to run iptables --list
to get a listing of all the active rules.
# remove all the rules by stopping iptables:
/etc/init.d/iptables stop
Occasionally you may need to do disable that completely manually, especially if you are not using the iptables script, try the following commands to flush all the kernel rules tables (Thanks Lloyd)...
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -X
iptables -F
Uncomplicated FireWall (Debian/Ubuntu)
FirewallD (on CentOS)
Shorewall
iptables-persistent