Manual iptables

iptables is a firewall (Firewall) standard is configured, integrated by default in most distributions of Linux (CentOS, Ubuntu …). Iptables operate on the classification and implementation of the package in / out according to the rules set in advance.

In this article, I will guide uses iptables simple and easy so that you can manually set your own VPS firewall.

1. Install iptables

iptables usually installed by default in the system. You can check to see if iptables was installed in the system by:

On CentOS:

 # rpm -q iptables
iptables-1.4.7-16.el6.x86_64
# Iptables --version
iptables v1.4.7

On Ubuntu:

 # iptables --version
iptables v1.6.0

If iptables is not installed, you can run the following command to install:

  • CentOS: # yum install iptables
  • Ubuntu: # apt-get install iptables

Note, on Ubuntu, before installation, you need to disable ufw ( # ufw disable ) to avoid conflict by ufw firewall and iptables are installed by default in the VPS Linux.

Before use, you need to check the status of the iptables, as well as how to turn off services on CentOS

 # service iptables status
# Service iptables start
# Service iptables stop
# Service iptables restart

To start iptables every time you start up.

 # chkconfig iptables on

On Ubuntu, iptables is not the first command chain services so you can not start, stop or restart. A simple way to disable that you erase the rules established by the flush:

 # iptables -F

2. The principles applied in iptables

To start, you need to specify the services to close / open and the corresponding port.

For example, with a common website and mail server

  • To access VPS using SSH, you need to open the SSH port (port 22).
  • In order to access the website, you need to open port 80 and can be 443 (SSL).
  • To send mail, you will need to open port SMTP (port 25) or Secure SMTP (port 465).
  • For users receive an email, you should open the POP3 port (port 110) or Secure POP3 (port 995). Besides, you will open the IMAP port (143 and 993)

Having identified the need to open port, you need to set the corresponding firewall rules to allow.

You can delete all the default firewall rules to start from the beginning: # iptables -F

I will guide you to see and understand the rules of iptables. List the current rules:

 # iptables -L
 Chain INPUT (policy ACCEPT)
target prot opt ​​source destination
ACCEPT all - anywhere anywhere state RELATED, ESTABLISHED
ACCEPT icmp - anywhere anywhere
ACCEPT all - anywhere anywhere
ACCEPT tcp - anywhere anywhere tcp dpt: ssh
REJECT all - anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp - anywhere anywhere tcp dpt: http
ACCEPT tcp - anywhere anywhere tcp dpt: https
ACCEPT tcp - anywhere anywhere tcp dpt: smtp
ACCEPT tcp - anywhere anywhere tcp dpt: URD
ACCEPT tcp - anywhere anywhere tcp dpt: pop3
ACCEPT tcp - anywhere anywhere tcp dpt: pop3s
ACCEPT tcp - anywhere anywhere tcp dpt: imap
ACCEPT tcp - anywhere anywhere tcp dpt: imaps
Chain FORWARD (policy ACCEPT)
target prot opt ​​source destination
REJECT all - anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt ​​source destination

Column 1: TARGET actions will be applied to each rule

  • Accept: the packet is forwarded to the application processor at the end or OS
  • Drop: packets blocked, removed
  • Reject: packets blocked, removed simultaneously send an error message to the sender

Column 2: PROT (protocol – the protocol) defines the protocol will be applied to enforce the rules, including all, TCP or UDP. Applications SSH, FTP, SFTP … all use TCP.

Column 4 and 5: SOURCE and DESTINATION address of the visitor is permitted to apply the rule.

3. Some example uses iptables open port

structure in order to open the port xxx iptables as follows:

 # iptables -A INPUT -p tcp -m tcp -j ACCEPT --dport xxx

3.1. Open SSH port

To access VPS via SSH, you need to open the SSH port 22. You can allow ssh connections on any device, anyone and anywhere.

 # iptables -A INPUT -p tcp -m tcp -j ACCEPT --dport 22

Default will show ssh port 22, if you change to another port ssh iptables will display the port number

 ACCEPT tcp - anywhere anywhere tcp dpt: ssh

You can only allow VPS through SSH connections only from certain IP addresses 1 (determined easily by visiting the website or check ip command # w )

 # iptables -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT

Then, in iptables will add rules

 ACCEPT tcp - anywhere tcp dpt xxx.xxx.xxx.xxx: ssh

3.2. Open ports Web Server

To allow access to the webserver via default port 80 and 443:

 # iptables -A INPUT -p tcp -m tcp -j ACCEPT --dport 80
Iptables -A INPUT -p tcp # -m tcp -j ACCEPT --dport 443

Default iptables will show http and https

 ACCEPT tcp - anywhere anywhere tcp dpt: http
ACCEPT tcp - anywhere anywhere tcp dpt: https

3.3. Open port Mail

– To allow the user to use SMTP servers via port 25 and 465 default:

 # iptables -A INPUT -p tcp -m tcp -j ACCEPT --dport 25
Iptables -A INPUT -p tcp # -m tcp -j ACCEPT --dport 465

Default iptables will show smtp and URD

 ACCEPT tcp - anywhere anywhere tcp dpt: smtp
ACCEPT tcp - anywhere anywhere tcp dpt: URD

– For users read email on the server, you need to open the POP3 port (default port 110 and 995)

 # iptables -A INPUT -p tcp -m tcp -j ACCEPT 110 --dport
Iptables -A INPUT -p tcp # -m tcp -j ACCEPT --dport 995

Default iptables will show pop3 and pop3s

 ACCEPT tcp - anywhere anywhere tcp dpt: pop3
ACCEPT tcp - anywhere anywhere tcp dpt: pop3s

Besides, you also need to enable IMAP mail protocol protocol (default port 143 and 993)

 # iptables -A INPUT -p tcp -m tcp -j ACCEPT 143 --dport
Iptables -A INPUT -p tcp # -m tcp -j ACCEPT --dport 993

Default iptables will show pop3 and pop3s

 ACCEPT tcp - anywhere anywhere tcp dpt: imap
ACCEPT tcp - anywhere anywhere tcp dpt: imaps

3.4. Block 1 IP access

 # iptables -A INPUT -s -j DROP IP_ADDRESS

– 1 Block 1 IP access specific ports:

 -A INPUT -p tcp -s #iptables -dport IP_ADDRESS PORT j DROP

Once fully established, including the necessary ports open or restrict the connection, you need to block all remaining connections and allows all outgoing connections from VPS

 # iptables -P OUTPUT ACCEPT
# Iptables -P INPUT DROP

Once setup is complete, you can check the rules

 # service iptables status

OR

 # iptables -L -n

-n means that we only care about each IP address. For example, if the block connections from hocvps.com then iptables will display the parameter -n xxx.xxx.xxx.xxx
Finally, you need to save the iptables firewall settings without setting will disappear when you reboot the system. In CentOS, the configuration is saved in /etc/sysconfig/iptables.

 # iptables-save | sudo tee / etc / sysconfig / iptables

OR

 # service iptables save
iptables: Saving firewall rules to / etc / sysconfig / iptables: [ OK ]

Basically, the article guide you to the most basic things to use iptables firewall as one of the linux VPS, enough for one website or email server normally. However, there are still many things you can do with iptables. Hopefully, this tutorial will give you the basic security for VPS

Manual iptables
5 (100%) 10 vote