How to protect your Linux server using iptables

In this post I will describe how to configure the basic Linux firewall IPTABLES. Using iptables you can easily protect your server from intruders. Nowadays many people are hosting virtual machines on Linux (for example for hosting purposes). Ofcourse you can configure an external firewall, but you can also use the internal firewall (the Linux equivalant of the Windows firewall).

Step 1, check if your iptables is installed using the following command:

# yum info iptables

You should see all kind of information, make sure you see the INSTALLED parameter next to the REPO option.

Not installed? Use the following command to installe iptables:

# yum install iptables

(we are not using IPV6)

Step 2 Flush all existing rules using the following command:

# iptables -F

Now all the existing firewall rules are cleared and everything is clean.

Step 3 Block null packets

We can then add a few simple firewall rules to block the most common attacks, to protect our VPS from script-kiddies. We can’t really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our VPS and start looking for security holes to exploit. First, we start with blocking null packets.

# iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Step 4 Block syn-flood packages

We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packets are, simply said, recon packets. The attack patterns use these to try and see how we configured the VPS and find out weaknesses. The next pattern to reject is a syn-flood attack.

# iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Step 5 Block XMAS packets

Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers’ resources. We won’t accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.

# iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

We have ruled out at least some of the usual patterns that find vulnerabilities in our Linux environment.

Step 6 Add the localhost interface to the firewall filter

Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface:

# iptables -A INPUT -i lo -j ACCEPT

We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed. That way our VPS can use the database, but the database is closed to exploits from the internet.

Step 7 Now we can allow web server traffic:

# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

In this example we are only allowing port 80 (HTTP) and 443 (HTTPS) to go through the firewall. Add your (custom?) ports when you need to.

Step 8 Saving the configuration

Now that we have all the configuration in, we can list the rules to see if anything is missing.

# iptables -L -n

Now we can finally save our firewall configuration:

# iptables-save | sudo tee /etc/sysconfig/iptable

The iptables configuration file on CentOS is located at /etc/sysconfig/iptables.

You can now use a portscanner to test your firewall.

1 Comment

  1. Author

    Use the following command to block OUTGOING traffic fronm your host : iptables -A OUTPUT -p tcp –dport 25 -j DROP

    Don’t forget to save afterwards!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.