NOTE: IT'S A DANGER ZONE. This is expert-level settings setup. You must know what you're doing and do not blindly copy-paste commands and rules described below, otherwise, you may end up with the unaccessible server.
This tutorial will set iptables rules to accept traffic only on http (80)
, https (443)
and ssh (22)
ports, which is the fine setup for most basic applications. Using suggested rules you're free to add more udp/tcp ports on demand.
See also the great article on iptables rules by Digital Ocean and VPS Cheap
Start with creating the blank iptables file:
iptables-save > /etc/firewall.conf
Now edit exported rules:
# nano /etc/firewall.conf
# You should end up with something like:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow everything on localhost (loopback)
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow all outgoing connections
-A OUTPUT -j ACCEPT
# Allow all active incoming connection to continue
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow all active outgoing connection to continue
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Drop all INVALID incoming connections
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Main incoming connection rules
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Drop all other incoming connections
-A INPUT -j DROP
# Reject any forwarding
-A FORWARD -j REJECT
COMMIT
To test rules run:
iptables-restore < /etc/firewall.conf
To make created rules persistent, create file /etc/network/if-up.d/firewall
#!/bin/sh
iptables-restore < /etc/firewall.conf
Make it executable:
chmod +x /etc/network/if-up.d/firewall