Securing your Linux VPS with a firewall is an important step to protect it from unauthorized access and attacks. IPTables is the built-in Linux firewall solution that allows you to filter incoming and outgoing traffic. This article will walk you through step-by-step how to configure an IPTables firewall on your Linux VPS.
In this article, we will show you how to configure a Linux VPS firewall using IPTables. IPTables is a powerful firewall utility that is included with most Linux distributions. It can be used to create a variety of firewall rules, including rules that allow or deny traffic based on source and destination IP addresses, port numbers, and protocols.
Before configuring IPTables rules, it's important to understand some basics about how it works. IPTables manages the tables in the Linux kernel that contain the firewall rules. There are three main tables:
INPUT - Rules that apply to inbound traffic destined for the VPS itself.
OUTPUT - Rules that apply to outbound traffic leaving from the VPS.
FORWARD - Rules that apply to traffic that is routed through the VPS but not destined for it.
Within each table, there are built-in chains that contain the actual rules:
PREROUTING - Rules that apply before the routing process.
INPUT - Rules for inbound traffic.
FORWARD - Rules for forwarded traffic.
OUTPUT - Rules for outbound traffic.
POSTROUTING - Rules that apply after the routing process.
Each rule contains three main parts:
A chain - Which table and chain the rule applies to.
A filter - Whether to ACCEPT, DROP or REJECT the packets.
Match criteria - Which packets the rule applies to based on things like protocols, ports, source/destination IPs, etc.
On most Linux distributions, IPTables comes pre-installed. However, we'll first ensure it's installed and enabled. We can install IPTables using:
sudo apt install iptables # For Debian/Ubuntu sudo yum install iptables # For CentOS/Red Hat
Then we can enable the IPTables service to start on boot with:
sudo systemctl enable iptables
And start the service now with:
sudo systemctl start iptables
Before adding our own rules, we'll flush any existing rules that may be present with:
sudo iptables -F
This will flush all rules from all chains to ensure we have a clean slate.
Next, we'll add rules to allow traffic to and from localhost (our VPS itself). This is needed for applications to communicate internally. We'll add these rules:
sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A OUTPUT -o lo -j ACCEPT
This will accept all input and output traffic on the lo interface (localhost).
We'll add rules to drop any INVALID packets that may be used in DoS attacks or fingerprinting. These packets are very unlikely to be legitimate.
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP sudo iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
Now we'll allow incoming connections that are in response to existing outbound connections from our VPS.
This is needed for things like allowing HTTP responses for outgoing HTTP requests.
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Now by default, we'll drop all other inbound traffic not covered by our rules so far:
sudo iptables -P INPUT DROP
This will deny all other input traffic until we specifically allow it.
Next, we'll allow incoming connections to specific ports that we want to expose to the internet.
For example, if we want to allow inbound HTTP, HTTPs and SSH, we'll add:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
You'll want to replace these with the ports that your applications require.
It's a good idea to log any packets that get dropped by our rules. We can do this with:
sudo iptables -A INPUT -j LOG --log-prefix "INPUT dropped: " --log-level info sudo iptables -A FORWARD -j LOG --log-prefix "FORWARD dropped: " --log-level info sudo iptables -A OUTPUT -j LOG --log-prefix "OUTPUT dropped: " --log-level info
This will log information about dropped packets to /var/log/syslog or /var/log/messages.
We want to allow all outbound traffic by default, so we specify the default policy for the OUTPUT chain:
sudo iptables -P OUTPUT ACCEPT
Use the following command to accept traffic from a specific IP address.
# sudo iptables -A INPUT -s your_IP_address_to_authorise -j ACCEPT $ sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
Replace the IP address in the command with the IP address you want to authorise. You can also block traffic from an IP address:
# sudo iptables -A INPUT -s your_IP_address_to_block -j DROP sudo iptables -A INPUT -s 192.168.1.0/24 -j DROP
Replace the IP address in the command with the IP address you want to block. You can reject traffic from an IP address range with the following command:
# sudo iptables -A INPUT -m iprange --src-range your_start_IP_address-your_end_IP_address -j REJECT sudo iptables -A INPUT -m iprange --src-range 192.168.122.2-192.168.122.34 -j REJECT sudo iptables -A INPUT -m iprange --dest-range 18.104.22.168-22.214.171.124 -j DROP
The iptables options we used in the examples work as follows:
-m: Matches the specified option.
-iprange: Instructs the system to wait for a range of IP addresses instead of one.
--src-range: Identifies the source IP address range.
--dest-range: Identifies the destination IP address range.
A more precise method is to delete the line number of a rule. First, list all rules by entering the following:
sudo iptables -L --line-numbers
Locate the line for the firewall rule you want to remove and run this command:
sudo iptables -D INPUT Number
Replace Number with the rule line number you want to delete.
You can now test your firewall rules by using the iptables command to list the rules. To do this, run the following command:
sudo iptables -L
This will list all of the firewall rules that are currently in effect.
When the system is restarted, iptables does not keep the rules you created. Whenever you configure iptables on Linux, any changes you make apply only until the next reboot. So we save our IPTables rules so they persist across reboots. We can save the rules to directory /etc/iptables/ with:
# Ubuntu sudo iptables-save > /etc/iptables/rules.v4 sudo ip6tables-save > /etc/iptables/rules.v6 # CentOS sudo iptables-save > /etc/sysconfig/iptables sudo ip6tables-save > /etc/sysconfig/ip6tables
Then we can load these rules on boot with:
# Ubuntu sudo sh -c "iptables-restore < /etc/iptables/rules.v4" sudo sh -c "ip6tables-restore < /etc/iptables/rules.v6"
Another method, to save rules to Ubuntu-based systems, type:
sudo -s iptables-save -c
The next time your system boots, iptables will automatically reload the firewall rules.
You should now have a functioning Linux VPS firewall with IPTables that allows necessary traffic while blocking unwanted connections. Be sure to update your rules as your system and network requirements change. Hope this step-by-step guide helps you configure and secure your Linux VPS with IPTables! Let me know if you have any other questions.