You can use Iptables to secure your Linux server or VPS. With Iptables you can monitor the traffic of your server using tables, which are a set of rules called chains. Iptables is a flexible firewall tool and few tricks and commands could make working with Iptables much easier.
To configure firewall rules for IPv6, you will have to set up the ip6tables service. If you are using CentOS 7, you will need to set up your firewall using firewalld.
Now lets see how to create a simple firewall on a Centos VPS:
Decide the services and ports to open
Once you have choosed the port to be opened, all other unnecessary ports will be blocked.
You are going to leave SSH port open so that you can connect to the VPS remotely:
Let’s say, port 22.
For web traffic open port 80 and 443. To send email, open port 25 (regular SMTP) and 465 (secure SMTP) and to receive open the usual port 110 (POP3) and 995 (secure POP3 port).
Block comman attacks using iptables
You can block common network attacks with the help of iptables; We will discuss few attacks:
-> To block null packets use the below command
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-> To reject is a syn-flood attack you can use
iptables -A INPUT -p tcp ! --syn-m state --state NEW -j DROP
–i : Insert a rule
-A : Append
-j option specifies the target if a rule is matched
-> To block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
The server allocates a large number of resources for this packet, as it requires more processing than the usual packets.
Add selected services
Open the ports for your selected services and start adding to the firewall filter. Let’s start with localhost interface:
iptables -A INPUT -i lo -j ACCEPT
This command tells iptables to add a rule to the incoming filter table (INPUT) and accept (-j ACCEPT) the traffic that comes via the localhost interface.
Next you can allow web server traffic by adding the two ports to ACCEPT the change.
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Then you can allow users to use your SMTP servers, using:
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
This command will allow users to read email on their server which allow POP3 traffic.
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
Next you can allow IMAP mail protocol:
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
Limiting SSH access
To allow SSH traffic, connect to the VPS remotely by the following command:
iptables -A INPUT -p tcp -m tcp--dport 22 -j ACCEPT
Note: You can change the SSH configuration to a different port if needed.
If you hold a permanent IP address, you can allow connection to SSH and the connection is available only to users around your location.
Once after finding your IP address, you can create the firewall rule to allow traffic to the SSH port and then replace YOUR_IP_ADDRESS with the actual IP.
iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT
You can open more ports on your firewall by changing the port numbers. So that you can access the services you require. In order to use outgoing connections add the below rule
iptables -I INPUT -m state--state ESTABLISHED,RELATED -j ACCEPT
Through this you will receive replies from the VPS on the other side of the connection. Once set up is done you can block everything else, and allow all other outgoing connections.
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
Save the configuration
Now list the rules to see if anything is missing out:
iptables -L –n
-n : indicates only ip addresses, not a domain name.
You can save your firewall configuration by
iptables-save | sudo tee /etc/sysconfig/iptables
To ensure everything works fine, just restart the firewall. The saved rules will run even when the VPS is rebooted.
service iptables restart
Flush to unlock yourself
In case if you block yourselves from accessing the VPS, the Digital Ocean web interface will allow us to connect to the server via console access.
To get back to the VPS again, you can use the following command which will flush the filters, once logged in.
Hope you liked it and if any assistance needed Contact Us.
Subscribe to get free blog content to your Inbox