How to Configure a Linux VPS Firewall with IPTables


Securing your Linux VPS with a firewall is an important step to protect it from unauthorized access and attacks. IPTables is the built-in Linux firewall solution that allows you to filter incoming and outgoing traffic. This article will walk you through step-by-step how to configure an IPTables firewall on your Linux VPS.

In this article, we will show you how to configure a Linux VPS firewall using IPTables. IPTables is a powerful firewall utility that is included with most Linux distributions. It can be used to create a variety of firewall rules, including rules that allow or deny traffic based on source and destination IP addresses, port numbers, and protocols.


A Linux VPS from VPSMart

Administrative access (root/sudo) to your server via SSH

Understanding IPTables

Before configuring IPTables rules, it's important to understand some basics about how it works. IPTables manages the tables in the Linux kernel that contain the firewall rules. There are three main tables:

INPUT - Rules that apply to inbound traffic destined for the VPS itself.

OUTPUT - Rules that apply to outbound traffic leaving from the VPS.

FORWARD - Rules that apply to traffic that is routed through the VPS but not destined for it.

Within each table, there are built-in chains that contain the actual rules:

PREROUTING - Rules that apply before the routing process.

INPUT - Rules for inbound traffic.

FORWARD - Rules for forwarded traffic.

OUTPUT - Rules for outbound traffic.

POSTROUTING - Rules that apply after the routing process.

Each rule contains three main parts:

A chain - Which table and chain the rule applies to.

A filter - Whether to ACCEPT, DROP or REJECT the packets.

Match criteria - Which packets the rule applies to based on things like protocols, ports, source/destination IPs, etc.

Configuring a Linux VPS Firewall with IPTables

With this understanding, we can now start configuring rules to lock down our VPS firewall.
Step 1) Install and Enable IPTables

On most Linux distributions, IPTables comes pre-installed. However, we'll first ensure it's installed and enabled. We can install IPTables using:

sudo apt install iptables  # For Debian/Ubuntu
sudo yum install iptables  # For CentOS/Red Hat

Then we can enable the IPTables service to start on boot with:

sudo systemctl enable iptables

And start the service now with:

sudo systemctl start iptables
Step 2) Flush Existing Rules

Before adding our own rules, we'll flush any existing rules that may be present with:

sudo iptables -F

This will flush all rules from all chains to ensure we have a clean slate.

Step 3) Allow localhost Traffic

Next, we'll add rules to allow traffic to and from localhost (our VPS itself). This is needed for applications to communicate internally. We'll add these rules:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

This will accept all input and output traffic on the lo interface (localhost).

Step 4) Block INVALID Packets

We'll add rules to drop any INVALID packets that may be used in DoS attacks or fingerprinting. These packets are very unlikely to be legitimate.

sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
sudo iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
Step 5) Allow Established Connections

Now we'll allow incoming connections that are in response to existing outbound connections from our VPS.

This is needed for things like allowing HTTP responses for outgoing HTTP requests.

sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Step 6) Drop All Other Inbound Traffic by Default

Now by default, we'll drop all other inbound traffic not covered by our rules so far:

sudo iptables -P INPUT DROP

This will deny all other input traffic until we specifically allow it.

Step 7) Allow Specific Inbound Ports

Next, we'll allow incoming connections to specific ports that we want to expose to the internet.

For example, if we want to allow inbound HTTP, HTTPs and SSH, we'll add:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

You'll want to replace these with the ports that your applications require.

Step 8) Log Dropped Packets

It's a good idea to log any packets that get dropped by our rules. We can do this with:

sudo iptables -A INPUT -j LOG --log-prefix "INPUT dropped: " --log-level info
sudo iptables -A FORWARD -j LOG --log-prefix "FORWARD dropped: " --log-level info
sudo iptables -A OUTPUT -j LOG --log-prefix "OUTPUT dropped: " --log-level info

This will log information about dropped packets to /var/log/syslog or /var/log/messages.

Step 9) Allow All Outbound Traffic by Default

We want to allow all outbound traffic by default, so we specify the default policy for the OUTPUT chain:

sudo iptables -P OUTPUT ACCEPT
Step 10) Control traffic by IP address

Use the following command to accept traffic from a specific IP address.

# sudo iptables -A INPUT -s your_IP_address_to_authorise -j ACCEPT
$ sudo iptables -A INPUT -s -j ACCEPT

Replace the IP address in the command with the IP address you want to authorise. You can also block traffic from an IP address:

# sudo iptables -A INPUT -s your_IP_address_to_block -j DROP
sudo iptables -A INPUT -s -j DROP

Replace the IP address in the command with the IP address you want to block. You can reject traffic from an IP address range with the following command:

# sudo iptables -A INPUT -m iprange --src-range your_start_IP_address-your_end_IP_address -j REJECT
sudo iptables -A INPUT -m iprange --src-range -j REJECT
sudo iptables -A INPUT -m iprange --dest-range -j DROP

The iptables options we used in the examples work as follows:
-m: Matches the specified option.
-iprange: Instructs the system to wait for a range of IP addresses instead of one.
--src-range: Identifies the source IP address range.
--dest-range: Identifies the destination IP address range.

Step 11) Delete a rule

A more precise method is to delete the line number of a rule. First, list all rules by entering the following:

sudo iptables -L --line-numbers
iptables with line-numbers

Locate the line for the firewall rule you want to remove and run this command:

sudo iptables -D INPUT Number

Replace Number with the rule line number you want to delete.

Step 12) List the IPTables Rules

You can now test your firewall rules by using the iptables command to list the rules. To do this, run the following command:

sudo iptables -L

This will list all of the firewall rules that are currently in effect.

Step 13) Save the IPTables Rules

When the system is restarted, iptables does not keep the rules you created. Whenever you configure iptables on Linux, any changes you make apply only until the next reboot. So we save our IPTables rules so they persist across reboots. We can save the rules to directory /etc/iptables/ with:

# Ubuntu
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

# CentOS
sudo iptables-save > /etc/sysconfig/iptables
sudo ip6tables-save > /etc/sysconfig/ip6tables

Then we can load these rules on boot with:

# Ubuntu
sudo sh -c "iptables-restore < /etc/iptables/rules.v4"
sudo sh -c "ip6tables-restore < /etc/iptables/rules.v6"

Another method, to save rules to Ubuntu-based systems, type:

sudo -s iptables-save -c

The next time your system boots, iptables will automatically reload the firewall rules.


You should now have a functioning Linux VPS firewall with IPTables that allows necessary traffic while blocking unwanted connections. Be sure to update your rules as your system and network requirements change. Hope this step-by-step guide helps you configure and secure your Linux VPS with IPTables! Let me know if you have any other questions.