 |
VOOZH | about |
|
VOOZH | about |
Setting up a good firewall is an essential step to take in securing any modern operating system. Most Linux distributions ship with a few different firewall tools that we can use to configure our firewalls. In this guide, weโll be covering the iptables firewall.
Iptables is a standard firewall included in most Linux distributions by default (a modern variant called nftables will begin to replace it). It is actually a front end to the kernel-level netfilter hooks that can manipulate the Linux network stack. It works by matching each packet that crosses the networking interface against a set of rules to decide what to do.
In the previous guide, we learned how iptables rules work to block unwanted traffic. In this guide, weโll move on to a practical example to demonstrate how to create a basic rule set for an Ubuntu 14.04 server. The resulting firewall will allow SSH and HTTP traffic.
Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, โiptablesโ only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called โip6tablesโ, which can be used to maintain firewall rules for IPv6 network addresses.
If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Former Senior Technical Writer at DigitalOcean, specializing in DevOps topics across multiple Linux distributions, including Ubuntu 18.04, 20.04, 22.04, as well as Debian 10 and 11.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
I have read a lot of articles,/tutorials online and just about all of them left me with unanswered questions,. So I kept my distance from touching iptables directly and instead use the easier UFW tool to set my firewall.
But I gotta tell you, this article is by far the best one I have seen. Itโs well written, provided with great examples, which was also explained well. I thank you for this wonderful article. I am sure many will benefit from this.
Fantastic write-up, thanks!
I have setup iptables rule for port 993, 465, 110, 143
But still cant access gmail imap and smtp through outlook express or ms outlook, they are using the ports given above.
Any ideas.
Thanks
Mitch
After installing iptables-persistent, the saved rules can be updated by running:
sudo service iptables-persistent save
This works on Ubuntu 14.04. I previously tried a different method which did not work: sudo iptables-save > /etc/iptables/rules.v4 -bash: /etc/iptables/rules.v4: Permission denied
@Ryan: Thatโs correct. Itโs because only the iptables-save command is run as root while your shell which is run as your non-root user performs the output redirection to the rules.v4 file. You can also use the tee command to write the output to rules.v4: <pre>iptables-save | sudo tee /etc/iptables/rules.v4</pre>
I feel like this tutorial should have an accept rule for ICMP in case people using the tutorials copy the config as is.
Ummmโฆ you really should allow DNS lookup or else people will be pretty confused if they use this HOWTO to configure iptables. Without the following rule you wonโt be able to do DNS lookups (which might be perfectly fine for some systems, but most people probably would want it) so you can run apt-get and actually resolve the repo names, etc :P
iptables -A INPUT -p udp --sport 53 -j ACCEPT
linuxfreakus: Maybe Iโm misunderstanding your comment. This guide only concentrates on restricting incoming connections. Output traffic is entirely unrestricted (as is traffic related to output traffic, such as DNS responses). Unless you are operating a DNS server and designing your firewall around access to that, these rules will allow you to connect to and communicate with an external DNS server without any additional rules.
Whenever I reboot my server, i found that some of my rules will be duplicated.
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-nginx-http-auth -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth -A INPUT -p tcp -m multiport --dports 2500 -j fail2ban-ssh -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth -A INPUT -p tcp -m multiport --dports 2500 -j fail2ban-ssh -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 2500 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -j DROP -A fail2ban-nginx-http-auth -j RETURN -A fail2ban-nginx-http-auth -j RETURN -A fail2ban-ssh -j RETURN -A fail2ban-ssh -j RETURN
However after I reloaded iptables-persistence, the iptables looks ok.
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-nginx-http-auth -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth -A INPUT -p tcp -m multiport --dports 2500 -j fail2ban-ssh -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 2500 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -j DROP -A fail2ban-nginx-http-auth -j RETURN -A fail2ban-ssh -j RETURN
Below is my rules.v4
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [150:40289] :fail2ban-nginx-http-auth - [0:0] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth -A INPUT -p tcp -m multiport --dports 2500 -j fail2ban-ssh -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 2500 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -j DROP -A fail2ban-nginx-http-auth -j RETURN -A fail2ban-ssh -j RETURN COMMIT
Advices are welcome as to why this happens as I do not want duplicates whenever I reboot servers.
Thanks.
Regrading IPv6 donโt forget about:
ip6tables -A INPUT -p icmpv6 -j ACCEPT
IPv6 uses ICMP a lot more than IPv4, and not letting ICMP packets in can severely cripple your traffic because you wonโt receive error messages related to that traffic. This can cause long delays/timeouts.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
