Skip to main content

Configuring the firewall on Linux with iptables

Stephanie R.
Updated

Find out how to secure a server with iptables.

Your server is equipped with a firewall. Firewalls create a barrier between a trusted network and an untrusted network. Firewalls work by defining rules that govern both authorized and blocked traffic. The firewall utility developed for Linux systems is iptables.

NOTE: OVHcloud provides services for which you are responsible for their configuration and management. You are therefore responsible for their proper functioning.

This tutorial is designed to help you as much as possible with common tasks. If you are having difficulty performing these actions, please contact a specialized service provider. OVHcloud can't provide you with technical support in this regard.

 

Requirements

  • A dedicated server or VPS in your OVHcloud account
  • Administrative access (root/sudo) to your server via SSH

 

Instructions

This guide lists the commands for an Ubuntu Server distribution.

This guide is for general use. You may need to adapt some commands depending on the distribution and/or operating system you are using. Some tips may suggest using third-party tools. If you have any questions about their use, please refer to their official documentation.

Most of the rules outlined in this guide assume that your iptables is configured by default to DROP incoming traffic, and that you selectively authorize incoming traffic. If you intend to set up a different type of configuration, we recommend that you consult the additional documentation.

Step 1: Update your system

Distribution and operating system developers frequently release software updates, often for security reasons. Keeping your distribution or operating system up-to-date is essential for securing your server.

See our guides for more information.

 

Step 2: Install the iptables firewall in Ubuntu

There are two different versions of iptables, for IPv4 and IPv6. The rules we cover in this Linux iptables tutorial concern IPv4. To configure iptables for IPv6, you must use the iptables utility. These two different protocols do not work together and must be configured independently.

iptables is installed by default on most Linux systems. To confirm that iptables is installed, use the following command:

sudo apt-get install iptables

To make sure that your iptables rules are persistent after reboot, you must install the iptables persistent package using the following command:

sudo apt-get install iptables-persistent

Once this is installed, the iptables folder will contain two files for IPV4 and IPV6 rules:

  • /etc/iptables/rules.v4
  • /etc/iptables/rules.v6

The example output in Ubuntu confirms that the latest version of iptables is already present:

cli_install-iptables-output.png

Typically, an iptables command is as follows:

sudo iptables [option] CHAIN_rule [-j target]

Here is a list of some common iptables options:

  • -A --append: Adds a rule to a string (at the end).
  • -C --check: Finds a rule that matches the requirements of the string.
  • -D --delete: Removes the specified rules from a string.
  • -F --flush: Deletes all rules.
  • -I --insert: Adds a rule to a string at a given position.
  • -L --list: Displays all rules in a string.
  • -N -new chain: Creates a new string.
  • -v --verbose: Displays more information when using a list option.
  • -X --delete-chain: Deletes the supplied string.

 

Step 3: Check the current status of iptables

To display all of the current rules on your server, enter the following command in the terminal window:

sudo iptables -L

The system displays the status of your channels.

The output will list three strings:

cli_iptables-status.png

 

Step 4: Allow traffic on localhost

To allow traffic from your own system (the localhost), add the input string by entering the following:

sudo iptables -A INPUT -i lo -j ACCEPT

This command configures the firewall to accept traffic for the localhost (lo) interface (-i). From now on, everything that comes from your system will pass through your firewall. You must set this rule to allow applications to communicate with the localhost interface.

 

Step 5: Allow traffic on specific ports

These rules allow traffic on the different ports that you specify using the commands listed below. A port is a communication endpoint specified for a specific type of data.

To allow HTTP Web traffic, enter the following command:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

To allow only inbound SSH (Secure Shell) traffic, enter the following (note that we use the default SSH port number 22. If your port number is different, make sure to adjust the commands accordingly):

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

To allow HTTPS Internet traffic, enter the following command:

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

The options work this way:

  • -p: Checks the specified protocol (tcp).
  • --dport: Specifies the destination port.
  • -j jump: Performs the action.

NOTE: If you lose access to your server, you can always use the KVM/IPMI tool to access it again and modify your configuration, or delete your rules.

For more information on accessing this tool, please refer to the appropriate guide:

 

Step 6: Control traffic by IP address

Use the following command to accept traffic from a specific IP address.

sudo iptables -A INPUT -s your_IP_address_to_authorize -j ACCEPT

Replace the IP address in the command with the IP address you want to authorize.

You can also block traffic from an IP address:

sudo iptables -A INPUT -s your_IP_address_to_block -j DROP

Replace the IP address in the command with the IP address you want to block.

You can reject traffic from an IP address range with the following command:

sudo iptables -A INPUT -m iprange --src-range your_start_IP_address-your_end_IP_address -j REJECT

The iptables options we used in the examples work as follows:

  • -m: Matches the specified option.
  • -iprange: Instructs the system to wait for a range of IP addresses instead of one.
  • --src-range: Identifies the IP address range.

 

Step 7: Delete unwanted traffic

If you are defining iptables firewall rules, you must prevent unauthorised access by removing all traffic from other ports:

sudo iptables -A INPUT -j DROP

The -A option adds a new rule to the string. If a connection goes through ports other than those you have defined, it will be discontinued.

If you type this command before performing step 5, you will block all access, including the current one, SSH access. This is particularly problematic on a machine you access remotely.

 

Step 8: Delete a rule

A more precise method is to delete the line number of a rule.

sudo iptables -P INPUT DROP

First, list all rules by entering the following:

sudo iptables -L --line-numbers

cli_iptables-listRules.png

Locate the line for the firewall rule you want to remove and run this command:

sudo iptables -D INPUT <Number>

Replace Number with the rule line number you want to delete.

 

Step 9: Save your changes

When the system is restarted, iptables does not keep the rules you created. Whenever you configure iptables on Linux, any changes you make apply only until the next reboot.

To save rules to Ubuntu-based systems, first, you must log in as the root user using the sudo su command:

ubuntu@server:~$ sudo su
root@server:/home/ubuntu#

Next, run the following command:

iptables-save > /etc/iptables/rules.v4

This will save the rules directly to the IPV4 folder.

To save rules to Ubuntu-based systems, type:

sudo -s iptables-save -c

The next time your system boots, iptables will automatically reload the firewall rules.

You can now configure basic iptables firewall rules for your Linux server. Feel free to experiment because you can always delete the rules you don't need, or empty all the rules and start over.

 

Go further

For more information and tutorials, please see our other Dedicated Server or Virtual Private Server guides, or explore the guides for other OVHcloud products and services.

Related articles