Iptables Essentials: Common Firewall Rules and Commands

A very helping tutorial and very well explained. Thanks a lot :)

Hello, Thanks again for your tutorial, as usual they are very good and very clear. Just a problem I have, I read it on my android phone (Samsung Galaxy Note 4) under chrome and the message box about “Infrastructure as a Newsletter” can’t be removed…

I appreciate this site. You make a great job ! Thanks !!!

Thanks for this really good tutorial! Question: If I block ALL ports except ssh and 80, and even then restrict 80 to only allow incoming connections from Cloudflare’s range, I know it’ll work. But will it interfere with any of DigitalOcean’s management tools like backups and monitoring? Or do they operate at a lower, more direct level?

By the way, I think it would be useful to add to the tutorial the ability to block a range. For example, as I understand it:

Block 15.15.15.x sudo iptables -A INPUT -s 15.15.15.0/24 -j DROP

Block 15.15.x.x sudo iptables -A INPUT -s 15.15.0.0/16 -j DROP

Block entire 15.x.x.x (use with caution!) sudo iptables -A INPUT -s 15.0.0.0/8 -j DROP

Someone correct me if I’m wrong, but I’ve been using /16 to block ranges of baddies with success in the past!

Hey, correct me if I’m wrong, but in the section ‘Allow All Incoming HTTP and HTTPS’, shouldn’t the second firewall rule be:

sudo iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

as opposed to

sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

?

Hi, great article - well written and easy to follow as always. Small note - when i was testing out the rules for POP3,

sudo iptables -A INPUT -i -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

i encountered the error

"Bad argument `tcp’ "

The problem seems to lie with the “-i” after “INPUT”. You might want to double check that command - what worked for me is

sudo iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

This is a great tutorial series! Not only is it well written, but it seems to be the only one on the net that explains the basics, and gives the steps necessary to succeed.

But… I followed the instructions above for iptables & iptables-persistent on Ubuntu 15.10, I get this error:

$ sudo invoke-rc.d iptables-persistent save
/usr/sbin/invoke-rc.d: 631: /usr/sbin/invoke-rc.d: /etc/init.d/iptables-persistent: not found
invoke-rc.d: initscript iptables-persistent, action "save" failed.

Any ideas what to do about that? Thanks!

Is there a way to allow SFTP from specific IP but block ssh for all incoming traffic at port 22. Traffic for SSH is anyways moved to a different port but I want SFTP to run for specific IP’s on port 22.

Hi Just a quick addition to this…

You can use the invoke method to save the iptables rules or this:

service iptables save

Tested on centOS7 and Ubuntu14.04

I’m loving the tutorial, everything has worked first time around using a Raspberry PI & headless Raspian.

I was wondering if you could help me with the IPTables rules though, I’m trying to add a second VPN connection (tun1), this connection will be accepting incoming connections so I can access my network when away from home. Could you provide some guidance on I how I could add this functionality?