How to Set Up a Firewall with iptables on Ubuntu and CentOS

by

How to Set Up a Firewall with iptables on Ubuntu and CentOS

In this tutorial, we are going to show you how to set up a firewall with iptables on a Linux VPS running Ubuntu or CentOS as an operating system. Iptables is an administration tool for IPv4 packet filtering and NAT and it is used to set up and manage the tables of IPv4 packet filter rules in the Linux kernel.

Properly configuring and setting up a firewall is one of the most important and crucial things you need to do to secure your server.

With iptables, several different packet matching tables are defined and each table can contain a number of built-in chains as well as some chains defined by the user. The chains are actually lists of rules that match set of packets and each rule specifies what to do with the matched packet.

The default table is the filter table and it contains the built-in chains INPUT, FORWARD, and OUTPUT. The INPUT chain is used for packets destined to local sockets, the FORWARD chain is used for packets being routed through the box while the OUTPUT chain is used for locally-generated packets.

Connect to your server via SSH and list the rules defined in a specific chain using the following syntax:

sudo iptables -L CHAIN

Replace CHAIN with one of the built-in chains to see the defined rules. If no chain is selected, all chains will be listed in the output.

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The firewall rules specify what to do with a certain packet if it matches certain criteria and in case the packet doesn’t match the criteria, the next firewall rule defined in the chain will be examined. This is a very important thing to know when defining the firewall rules because you can easily lock yourself out of your server if you define the rule which accepts packets from your local IP address after the blocking rule.

The targets you can use for the firewall rules are ACCEPT, DROP, QUEUE and RETURN. ACCEPT will let the packet through, DROP will drop the packet, QUEUE will pass the packet to the userspace while RETURN will stop the packet traversing of the current chain and will resume at the next rule in the previous chain. The default chain policy will define what to do with a packet if it doesn’t match certain firewall rule. As you can see in the output of the first command, the default policy for all built-in chains is set to ACCEPT. ACCEPT will let the packet go through so basically there is no protection.

Before adding any specific rules, add the following one:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

This will prevent the connections that are already established to be dropped and your current SSH session will remain active.

Next, add rules to allow traffic on your loopback interface:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

Next, allow access to your server via SSH for your local IP address so only you can access the server:

sudo iptables -A INPUT -s 111.111.111.111 -p tcp --dport 22 -j ACCEPT

Where 111.111.111.111 is your local IP address and 22 is the listening port of your SSH daemon. In case your local IP address changes dynamically it is best to omit the -s 111.111.111.111 part and use a different method to protect the SSH service from unwanted traffic.

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Next, allow access to your important services like HTTP/HTTPS server:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

[ecko_alert color=”blue”]Stuck somewhere? Get a VPS from us and we’ll properly secure your server and configure a firewall for you, free of charge![/ecko_alert]

Now, list the current rules and check if everything is OK. For detailed output you can use the following command:

sudo iptables -nvL

If you have other services that you want to allow access to it is best to do that now. Once you are done, you can set the default policy for the INPUT built-in chain to DROP.

sudo iptables -P INPUT -j DROP

This will drop any packet that doesn’t match the firewall rules criteria. The final output should be similar to the following one:

Need a fast and easy fix?
✔ Unlimited Managed Support
✔ Supports Your Software
✔ 2 CPU Cores
✔ 2 GB RAM
✔ 50 GB PCIe4 NVMe Disk
✔ 1854 GeekBench Score
✔ Unmetered Data Transfer
NVME 2 VPS

Now just $43 .99
/mo

GET YOUR VPS 
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

However, if you now restart the server you will lose all the firewall rules you defined so it is really important to make the rules permanent.

In case you are using an Ubuntu VPS you need to install an additional package for that purpose. Go ahead and install the required package using the following command:

sudo apt-get install iptables-persistent

On Ubutnu 14.04 you can save and reload the firewall rules using the commands below:

sudo /etc/init.d/iptables-persistent save
sudo /etc/init.d/iptables-persistent reload

On Ubuntu 16.04 use the following commands instead:

sudo netfilter-persistent save
sudo netfilter-persistent reload

If you are using a CentOS VPS you can save the firewall rules using the command below:

service iptables save

Of course, you don’t have to do any of this if you use one of our Fully Managed VPS Hosting services, in which case you can simply ask our expert Linux admins to help you configure your iptables on your server. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on How to Set Up a Firewall with iptables on Ubuntu and CentOS, please share it with your friends on the social networks using the buttons below or simply leave a comment in the comments section. Thanks.

2 thoughts on “How to Set Up a Firewall with iptables on Ubuntu and CentOS”

  1. Under the section where it says “If you have other services that you want to allow access to it is best to do that now. Once you are done, you can set the default policy for the INPUT built-in chain to DROP.” there is a command below that reads:
    iptables -A INPUT DROP

    This should say iptables –
    iptables A INPUT -j DROP

    Without the -j the system doesn’t know what to do with the “DROP” and therefore returns an error of:

    “root@mysystem:~# iptables -A INPUT DROP
    Bad argument `DROP’
    Try `iptables -h’ or ‘iptables –help’ for more information.”

    Reply

Leave a Comment