Simple iptables Rules for Ubuntu/ Debian VPS

Simple iptables Rules for Ubuntu/ Debian VPS

Get Social!

The following iptables rules are are a starting point to add basic firewall security to a public facing server, such as a public VPS. The primary focus is to stop any inbound traffic other than SSH, which is required for shell access.

[the_ad id=”2698″]

The biggest issue with public VPS providers is that often some iptables features are disabled – many OpenVZ container providers don’t allow state checking in iptables, for example. If you’ve got one of these VPS’s you’ll likely see the following error:

iptables: No chain/target/match by that name.

These rules are engineered so that they will work with most VPS’s where iptables is installed.

The following rules will block all incoming connections except SSH, including PING requests. Outgoing is open for HTTP and HTTPS TCP requests and DNS UDP requests.

See the links at the bottom of the page for a more in depth look at iptables rules.

# Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Inbound SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Outbound HTTP/S
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT

# Outbound DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

# default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP

If you’re using Ubuntu, you can easily make the rules persist:

apt-get install iptables-persistent
service iptables save


Basic IPTable Rules

Category : How-to

Get Social!

Here are some basic IPTable rules to enable essential connectivity from the host. Outbound connectivity such as ping, DNS and HTTP are all enabled, along with inbound SSH.

All external sources are enabled for SSH so it’s advisable to restrict this further once you’re up and running. This IPTables script is intended to be a starting point and may need to be tailored for your security requirements.

Paste the below script in order to get started.

Optional, run iptables -F to clear existing rules.

iptables -F


# Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Established
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Drop invalid
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Incoming SSH
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Outgoing HTTP
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Outgoing DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# Outgoing Ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Default chain
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

See the cheat sheet for more information.

Cassandra Firewall Ports

Category : Knowledge

Get Social!

datastax-logoCassandra uses various ports for communication, either server to server communication or client to server communication.

If you’re using Cassandra in a firewalled environment you may need to open various ports depending on your needs. All ports are TCP and can be configured in the relevant config files to use non-default ports.

Port # Type Description
7000 TCP Non-encrypted inter-node cluster communication. Not used if SSL is in use.
7001 TCP Encrypted SSL inter-node cluster communication. Not used if SSL is not in use.
7199 TCP JMX monitoring port.
9042 TCP Client port used for native CQL.
9160 TCP Client port used for Thrift.

New features in Proxmox Test Repository

Category : Tech News

Get Social!

proxmox logo gradProxmox uses two main repositories (if you exclude the Enterprise repository) to release updates to Proxmox servers around the world. The usual repository pve-no-subscription is used to release updates for the Proxmox VE platform that are usually stable and tested. The other repository is the pvetest repository that contains new code that has not yet been thoroughly tested by the community. Updates in the pvetest repository should never be used in production, but are a great way to give something back to the Proxmox community by testing the code in a development environment and to see what new features are up and coming.

Martin Maurer sent an email to the Proxmox mailing list stating that a rift of changes and new features have been released to the pvetest repository and are available for download.

If you would like to use the pvetest repository on your Proxmox installation you will need to add the test repository source to your configuration. Remember, this is not recommended for production servers.

The notable features include:

  • A new Proxmox VE Firewall for the host and guests.
  • A new non-Java Html5 Console
  • Two-factor authentication

Keep an eye out for the official release, but we can speculate that a new version of Proxmox is just on the horizon containing these new updates.

Default Ports for Samba

Tags :

Category : How-to

Get Social!

The ports required by Samba vary depending on if you use Samba as a domain controller or not. The most common type of Samba deployment would be to use a non domain controller deployment of Samba to create file shares for an existing domain or workgroup.

All of the below ports are TCP:

  • 137 (netbios-ns) – is used for the NETBIOS name service
  • 138 (netbios-dgm) – is used for the NETBIOS datagram service
  • 139 (netbios-ssn) – is used for the NETBIOS session service
  • 445 (microsoft-ds) – is required if you are using Microsoft Active Directory

Set up Linux PPTP Client from the Terminal

Get Social!

Linux penguinA Virtual Private Network, or VPN, allows the client computer to connect to a remote local network to use it’s resources such as printers and file shares. There are several types of VPN such as PPTP and LP2SEC with varying types of protection. PPTP is not the most secure type of VPN but its the easiest to set up.

PPTP has numerous security risks which means that the data you are transferring through your VPN can easily be unencrypted. L2TP/IPsec is becoming the standard VPN technology of choice. PPTP should not be used unless security of each end point and the data transferred is not required.

Take the quick VPN Poll to tell us what type of VPN you use.

This tutorial assumes you have a PPTP server already set up with the following details:

  • Hostname:
  • Username: pptpuser
  • Password: pptppassword

Open a Terminal and install the required PPTP client packages.

apt-get install pptp-linux network-manager-pptp

Create a credentials file with the username and password of the PPTP server:

vi /etc/ppp/chap-secrets

Add your entry using the below attributes

  • [USER] – user name to log in to the VPN server
  • [SERVER] – name of server to use, PPTP in our case.
  • [SECRET] – password of the above [USER].
  • [IP] – ip of the server, * means all IPs.
[USER]    [SERVER]    [SECRET]    [IP]


pptpuser    PPTP    pptppassword    *

Create a file which will be executed when the PPTP connection is started. This can contain additional commands to run when the connection is started such as adding new routes or firewall exceptions.

vi /etc/ppp/ip-up.d/route-traffic

The below examle script adds a route from the PPTP connection to any computers on the PPTP servers local network with IPs in the or ranges. This means that on the PPTP client, any machines on the above IP ranges will be accessible. This script may not be required for your environment and is simply used as an example. Note: a route should automatically be added to your VPN gateway.

route add -net ${NET1} dev ${IFACE}
route add -net ${NET2} dev ${IFACE}

Allow execution of the script:

chmod +x /etc/ppp/ip-up.d/route-traffic

Add the PPTP client connection pool and any additional settings which are required. The connection name,, can be changed to suite your connection. 

vi /etc/ppp/peers/

Add the details of the PPTP server. The below are the basic options required to connect to the server using mppe-128 encryption. Edit the below attributes to match your environment:

  • [USER] – user name to log in to the VPN server
  • [HOST] – host name or IP address of the PPTP server.
pty "pptp [HOST] --nolaunchpppd"
name [USER]
remotename PPTP
file /etc/ppp/options.pptp

You must add rules to your firewall to allow connections to and from this interface as well as through your existing public interface to make the PPTP connection.  The below rules open all traffic on the new pptp interface using iptables. You may need to change this once the connection has been tested to increase security.

iptables -A INPUT -i pptp -j ACCEPT
iptables -A OUTPUT -o pptp -j ACCEPT

Finally you will need to start your PPTP client connection. Use pon and poff to start and stop your PPTP client. Replace [CONNECTION] with the name you gave to the file in /etc/ppp/peers/.


See my script on automatically detecting a disconnect and restarting the PPTP client connection.

Visit our advertisers

Quick Poll

Which type of virtualisation do you use?
  • Add your answer

Visit our advertisers