Home > Support > HOWTO List > Linux > IPTables

Securing Your Server: Setting up a Linux Firewall

A firewall is software that lets you manage network access to your server. The main low level command used to do this in linux is 'iptables'.

There are a number of frameworks that have been build around iptables, including Firewald (CentOS), and Uncomplicated Firewall of UFW (Ubuntu).

You can also configure a firewall on your VPS using one of our optional hosting panels.

Before you decide to set up a firewall, please note...

A basic firewall using Webmin

The Webmin interface in particular can be handy for this. We document practical steps here

Save the settings as you go.

Save the settings as you go.

When you're done, you will have an /etc/sysconfig/iptables (or /etc/iptables.up.rules under debian) similar to this:

# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*nat
:PREROUTING ACCEPT [38:1868]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*mangle
:PREROUTING ACCEPT [353:47034]
:INPUT ACCEPT [353:47034]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [323:141426]
:POSTROUTING ACCEPT [323:141426]
COMMIT
# Completed on Sat Sep 27 02:06:00 2003
# Generated by iptables-save v1.2.7a on Sat Sep 27 02:06:00 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports ssh,www,https,pop3,smtp,imap,imaps,pop3s,10000
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
# Allow connections to unprivileged ports
-A INPUT -p tcp -m tcp --dport 1024:63353 -j ACCEPT
# Accept traceroutes
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
COMMIT
# Completed on Sat Sep 27 02:06:00 2003

Some more advanced topics are covered at Webmin: Linux Firewall

Managing the firewall manually

To prevent the rules being loaded on boot, on a CentOS/RHEL server use

chkconfig --del iptables

Under debian comment out or remove the line that triggers the rule file loading, from /etc/network/interfaces.

Firewall Locked You Out?

If you accidentally setup an iptable rule that locks you out of your RimuHosting VPS then you can enable the console-over-ssh feature and stop iptables from there, then re-setup your rules.

On your VPS command line, you should now be able to run iptables --list to get a listing of all the active rules.

# remove all the rules by stopping iptables:
/etc/init.d/iptables stop

Occasionally you may need to do disable that completely manually, especially if you are not using the iptables script, try the following commands to flush all the kernel rules tables (Thanks Lloyd)...

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -X
iptables -F

Some firewall frameworks

Uncomplicated FireWall (Debian/Ubuntu)
FirewallD (on CentOS)
Shorewall
iptables-persistent