Learning iptables could be a daunting task for many of us. It usually takes time and dedication to get to master it. However, a set of basic rules could help you get this powerful firewall up and running to protect your Linux VPS Server in no time.

The iptables is a big and effective tool to protect your Linux server. Every Linux VPS user should have a set of basic iptables rules in place in order to stop internet criminals from compromising your system.

We will be showing you a set of basic rules that you can incorporate into your tables and harden your overall system security.

The following rules should be entered with any root access level shell:

 

iptables -A INPUT -p tcp -syn -j DROP

 

With this rule in place you will be restricting all incoming traffic to your server. If you need to serve specific services from your Linux system, you will have to add rules for those specific services. Be careful to put the allowed services rules before any drop rule that might match an incoming packet and get dropped.

 

iptables -A INPUT -p tcp --syn -s 192.168.1.1 --destination-port 22 -j ACCEPT

 

This rule will allow all traffic to SSH service, provided you have the default port 22 for this. Additionally, this rules requires that the connecting host or client requesting for SSH service to be on IP address 192.168.1.1. In this case, no other source IP address will be allowed to connect. If you need to allow access to any other hosts, you can omit the '-s 192.168.1.1' portion of the rule. You can use this rule for any other port related to a specific service whether OpenVPN, PPTP, FTP, POP, IMAP, HTTPS etc.

 

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 

Rule checking will not be processed for any already initiated and validated connections. Here we use the -state switch which will match against any ESTABLISHED connection already made and/or any RELATED packets that belongs to the previously ESTABLISHED connections.

 

iptables -A INPUT -p tcp --syn --dport 25 -j ACCEPT

 

This is the first portion of a DoS attack. In this case we have chosen to protect port 25, but it can be any other port. Along with this rule you can add 'iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT' to protect against SYN flood and put 'iptables -A INPUT -p tcp --syn -j DROP' to drop every other SYN flood packet.

 

iptables -A INPUT -s 192.168.1.1/27 -j ACCEPT

 

If you need to white-list a specific IP address or networks, you should use this rule. In this case, iptables will accept all traffic from 192.168.1.1 to 192.168.1.30 . You can use CIDR notation to specify complete subnets.

 

iptables -A INPUT -p tcp -m tcp -s 192.168.1.1 -j DROP

 

This rule blocks all traffic from 192.168.1.1 In this case you should change 192.168.1.1 to the actual offending IP address. If you know you have an attack of any kind from a specific IP address, this is the rule to use.

 

iptables -N PORT-SCANNING

 

Here we are adding a new chain and we will append a set of rules to protect from port scanning traffic.

 

iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN

 

This has been appended to the newly created PORT-SCANNING chain to limit the number of traffic allowed for the SYN,ACK,FIN and RST tcp flags.

 

iptables -A PORT-SCANNING j DROP

 

This is another rule appended to the new PORT-SCANNING chain that will drop every matching packet.

Remember to save your rules

 

sudo service iptables save

 

To apply the new rules you should restart the iptables service:

 

sudo service iptables restart

 

Thank you!

 

Test on a Miami VPS Now

or

Deploy on a Miami Dedicated Server

Was this answer helpful? 3 Users Found This Useful (9 Votes)