Iptables
iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port.
iptables must be built into the kernel, which means you must have included all the features in networking support.
Contents
Confirm iptables is working correctly
# iptables -V iptables v1.4.9.1
If you receive an error, it means something was left out of the kernel. Rebuild the kernel with all the networking support added and try again.
Checking iptables rules
# iptables --list Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Adding iptables-rules
By default, the policy is to ACCEPT all input, output, and forward packets. This is the fully unsecured state.
The proper way to secure a server is to lock out ALL inbound contact, and add only that which you need.
Note: if you are completing this step via PuTTY, it is essential you 'ACCEPT' ssh before you change the default policy to 'DROP'.
| command | inbound | outbound | port | action | behavior |
|---|---|---|---|---|---|
| iptables -P INPUT DROP | matched | unaffected | * | DROP | All unmatched packets are dropped (policy change) |
| iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | matched | unaffected | 22 (SSH) | ACCEPT | Allow SSH inbound |
| iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | matched | unaffected | 80 (HTTP) | ACCEPT | Allow HTTP inbound |
| iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT | matched | unaffected | 25565 | ACCEPT | Allow MC clients inbound |
Saving iptables-rules
Once you have a working set of rules you are happy with, you will want to save them, to ensure they persist through reboots.
iptables-save > /etc/iptables-rules
Applying saved rules
iptables-restore < /etc/iptables-rules
