roka . Secure your server with Iptables

Published 10.08.2012 · Web Development Server

Secure your server with Iptables

It's never a good idea to let doors open. Neither should there be unnecessary open ports on your server. With Iptables, a firewall shipped with Ubuntu, it's not that hard to secure your server. A very detailed and nice introduction can be found in the Ubuntu Wiki.

Example setup

A sample setup might look like the following. First step is to allow already established connections.

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Then the ssh and http ports should be accepted.

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Finally all other traffic shall be blocked.

sudo iptables -A INPUT -j DROP

Note that the order of the iptables list is important. It works from top to bottom and when for example DROP all is the first entry, nothing else is allowed to enter. Also make sure to not block your ssh port! Else you got a problem.

Adding new rules

Now we realise, we forgot one port. But that's no problem! We can not only append new rules, we can also specify where to include the rule. Take a look at the already created list.

sudo iptables --list

We decide to add port 12345 as 3rd rule. So let's do that!

iptables -I INPUT 3 -p tcp --dport 12345 -j ACCEPT

Checking back on the list should show the added port.

Preserve rules

Preserving the iptables rules after rebooting is pretty easy.

sudo iptables-save

Now you're done! Your server should be (more) secure and your life easier.