Learning iptables could be a daunting task for many of us. It usually takes time and dedication to get to master it. However, a set of basic rules could help you get this powerful firewall up and running to protect your Linux VPS Server in no time.

The iptables is a big and effective tool to protect your Linux server. Every Linux VPS user should have a set of basic iptables rules in place in order to stop internet criminals from compromising your system.

We will be showing you a set of basic rules that you can incorporate into your tables and harden your overall system security.

The following rules should be entered with any root access level shell:


iptables -A INPUT -p tcp -syn -j DROP


With this rule in place you will be restricting all incoming traffic to your server. If you need to serve specific services from your Linux system, you will have to add rules for those specific services. Be careful to put the allowed services rules before any drop rule that might match an incoming packet and get dropped.


iptables -A INPUT -p tcp --syn -s --destination-port 22 -j ACCEPT


This rule will allow all traffic to SSH service, provided you have the default port 22 for this. Additionally, this rules requires that the connecting host or client requesting for SSH service to be on IP address In this case, no other source IP address will be allowed to connect. If you need to allow access to any other hosts, you can omit the '-s' portion of the rule. You can use this rule for any other port related to a specific service whether OpenVPN, PPTP, FTP, POP, IMAP, HTTPS etc.


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Rule checking will not be processed for any already initiated and validated connections. Here we use the -state switch which will match against any ESTABLISHED connection already made and/or any RELATED packets that belongs to the previously ESTABLISHED connections.


iptables -A INPUT -p tcp --syn --dport 25 -j ACCEPT


This is the first portion of a DoS attack. In this case we have chosen to protect port 25, but it can be any other port. Along with this rule you can add 'iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT' to protect against SYN flood and put 'iptables -A INPUT -p tcp --syn -j DROP' to drop every other SYN flood packet.


iptables -A INPUT -s -j ACCEPT


If you need to white-list a specific IP address or networks, you should use this rule. In this case, iptables will accept all traffic from to . You can use CIDR notation to specify complete subnets.


iptables -A INPUT -p tcp -m tcp -s -j DROP


This rule blocks all traffic from In this case you should change to the actual offending IP address. If you know you have an attack of any kind from a specific IP address, this is the rule to use.




Here we are adding a new chain and we will append a set of rules to protect from port scanning traffic.


iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN


This has been appended to the newly created PORT-SCANNING chain to limit the number of traffic allowed for the SYN,ACK,FIN and RST tcp flags.




This is another rule appended to the new PORT-SCANNING chain that will drop every matching packet.

Remember to save your rules


sudo service iptables save


To apply the new rules you should restart the iptables service:


sudo service iptables restart


Thank you!


Test on a Miami VPS Now


Deploy on a Miami Dedicated Server

Was this answer helpful? 3 Users Found This Useful (9 Votes)