Typical iptables Firewall Rules for a Server that Hosts Websites

iptables is a rather handy tool to protect your server from unwanted and potentially malicious connection attempts. To list the current rules, run in SSH:

iptables -L

A typical set of firewall rules set by iptables on a simple server, be it VPS or dedicated, for hosting and serving websites should be like this:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ! lo -d -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 8001,8002,8003,8004,8005,8006,8007,8008,8009,8010 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

Which enables

  1. ports 80 and 443 for web pages serving via HTTP and HTTPS
  2. port 21 and a series of tcp ports for FTP (passive mode) so that you can upload stuff to the server with your favorite FTP client
  3. port 22 for SSH access which can be modified for more security. If you have altered the default SSH connection port 22 to a random one, make sure you also change the port in the iptables rules set accordingly or the server will reject you.
  4. port 3306 for MySQL database server. Note that you may or may not need to open port 3306 for MySQL. For example, if you use ‘localhost’ as database server, there’d be no need most of the time.

And disables everything else.

These commands will only be in effect for the current session, once the server is restarted, all rules will be lost. In order to save these rules and make the server automatically load and apply them every time you reboot, write them into a file to be loaded upon every system start. Run:

iptables-save > /etc/iptables.up.rules

Command iptables-save saves the rule set to the file /etc/iptables.up.rules from the memory. Now configure the server to read and apply the rule set file /etc/iptables.up.rules every time it starts:

nano /etc/network/interfaces

And add a line immediately below ‘iface lo inet loopback’:

pre-up iptables-restore < /etc/iptables.up.rules

Now you are set. Reboot the server and see if all takes effect.

1 thought on “Typical iptables Firewall Rules for a Server that Hosts Websites

  1. Pingback: Unmanaged Hosting Server Installation & Initial Configuration for Dummies

Comments are closed.