Simple iptables Rules for Ubuntu/ Debian VPS
Category : How-to
The following iptables rules are are a starting point to add basic firewall security to a public facing server, such as a public VPS. The primary focus is to stop any inbound traffic other than SSH, which is required for shell access.
The biggest issue with public VPS providers is that often some iptables features are disabled – many OpenVZ container providers don’t allow state checking in iptables, for example. If you’ve got one of these VPS’s you’ll likely see the following error:
iptables: No chain/target/match by that name.
These rules are engineered so that they will work with most VPS’s where iptables is installed.
The following rules will block all incoming connections except SSH, including PING requests. Outgoing is open for HTTP and HTTPS TCP requests and DNS UDP requests.
See the links at the bottom of the page for a more in depth look at iptables rules.
# Loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Inbound SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT # Outbound HTTP/S iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --sport 443 -j ACCEPT # Outbound DNS iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT # default policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP
If you’re using Ubuntu, you can easily make the rules persist:
apt-get install iptables-persistent service iptables save