iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port. iptables is installed by default with the following rules, but you must use these steps to manually add any other different ports (at least the add and save functions).
Checking iptables rules
# iptables --list Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
By default, the policy is to ACCEPT all input, output, and forward packets. This is the fully unsecured state.
The proper way to secure a server is to lock out ALL inbound contact, and add only that which you need.
Note: if you are completing this step via PuTTY, it is essential you 'ACCEPT' ssh before you change the default policy to 'DROP'.
|iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT||matched||unaffected||22 (SSH)||ACCEPT||Allow SSH inbound|
|iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT||matched||unaffected||80 (HTTP)||ACCEPT||Allow HTTP inbound|
|iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT||matched||unaffected||25565||ACCEPT||Allow MC clients inbound|
|iptables -P INPUT DROP||matched||unaffected||*||DROP||All unmatched packets are dropped (policy change)|
|iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT||matched||unaffected||*||ACCEPT||Permit packets in to firewall itself that are part of existing and related connections.|
Once you have a working set of rules you are happy with, you will want to save them, to ensure they persist through reboots.
iptables-save > /etc/iptables-rules
Applying saved rules
To apply the set of rules saved from the above step, execute the following line:
iptables-restore < /etc/iptables-rules
Applying rules on startup
/etc/rc.local is the boot-up script. Any user-specified commands may be entered here, such as iptables. iptables is already autostarted by default.
- vi /etc/rc.local
- Add iptables-restore < /etc/iptables-rules
- Save and quit; reboot