iptables is a rather handy tool to protect your server from unwanted and potentially malicious connection attempts. To list the current rules, run in SSH:
A typical set of firewall rules set by iptables on a simple server, be it VPS or dedicated, for hosting and serving websites should be like this:
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # iptables -A INPUT -p tcp --dport 3306 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 8001,8002,8003,8004,8005,8006,8007,8008,8009,8010 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT
- ports 80 and 443 for web pages serving via HTTP and HTTPS
- port 21 and a series of tcp ports for FTP (passive mode) so that you can upload stuff to the server with your favorite FTP client
- port 22 for SSH access which can be modified for more security. If you have altered the default SSH connection port 22 to a random one, make sure you also change the port in the iptables rules set accordingly or the server will reject you.
- port 3306 for MySQL database server. Note that you may or may not need to open port 3306 for MySQL. For example, if you use ‘localhost’ as database server, there’d be no need most of the time.
And disables everything else.
These commands will only be in effect for the current session, once the server is restarted, all rules will be lost. In order to save these rules and make the server automatically load and apply them every time you reboot, write them into a file to be loaded upon every system start. Run:
iptables-save > /etc/iptables.up.rules
Command iptables-save saves the rule set to the file /etc/iptables.up.rules from the memory. Now configure the server to read and apply the rule set file /etc/iptables.up.rules every time it starts:
And add a line immediately below ‘iface lo inet loopback’:
pre-up iptables-restore < /etc/iptables.up.rules
Now you are set. Reboot the server and see if all takes effect.