Configuring the firewall on Linux with iptables
Find out how to secure a server with iptables
Find out how to secure a server with iptables
Last updated 27th February 2023
Your VPS is equipped with a firewall. Firewalls create a barrier between a trusted network and an untrusted network. Firewalls work by defining rules that govern both authorised and blocked traffic. The firewall utility developed for Linux systems is iptables.
Find out how to secure a server with iptables.
OVHcloud is providing you with services for which you are responsible, with regard to their configuration and management. You are therefore responsible for ensuring they function correctly.
This guide is designed to assist you in common tasks as much as possible. Nevertheless, we recommend that you contact a specialist service provider and/or discuss the issue with our community if you face difficulties or doubts concerning the administration, usage or implementation of services on a server.
This guide lists the commands for an Ubuntu Server distribution.
This guide is for general use. You may need to adapt some commands depending on the distribution and/or operating system you are using. Some tips may suggest using third-party tools. If you have any questions about their use, please refer to their official documentation.
Distribution and operating system developers offer frequent software package updates, very often for security reasons. Keeping your distribution or operating system up-to-date is essential for securing your server.
Please refer to our guide on securing a VPS for more information.
There are two different versions of iptables, for IPv4 and IPv6. The rules we cover in this Linux iptables tutorial concern IPv4. To configure iptables for IPv6, you must use the iptables utility. These two different protocols do not work together and must be configured independently.
iptables is installed by default on most Linux systems. To confirm that iptables is installed, use the following command:
sudo apt-get install iptables
The example output in Ubuntu confirms that the latest version of iptables is already present:
Typically, an iptables command is as follows:
sudo iptables [option] CHAIN_rule [-j target]
Here is a list of some common iptables options:
To display all of the current rules on your server, enter the following command in the terminal window:
sudo iptables -L
The system displays the status of your channels.
The output will list three strings:
To allow traffic from your own system (the localhost), add the input string by entering the following:
sudo iptables -A INPUT -i lo -j ACCEPT
This command configures the firewall to accept traffic for the localhost (lo) interface (-i). From now on, everything that comes from your system will pass through your firewall. You must set this rule to allow applications to communicate with the localhost interface.
These rules allow traffic on the different ports that you specify using the commands listed below. A port is a communication endpoint specified for a specific type of data.
To allow HTTP Web traffic, enter the following command:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
To allow only inbound SSH (Secure Shell) traffic, enter the following (note that we use the default SSH port number 22. If your port number is different, make sure to adjust the commands accordingly):
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
To allow HTTPS Internet traffic, enter the following command:
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
The options work this way:
If you lose access to your server, you can always use the KVM/IPMI tool to access it again and modify your configuration or delete your rules.
For more information on accessing this tool, please refer to this guide.
Use the following command to accept traffic from a specific IP address.
sudo iptables -A INPUT -s your_IP_address_to_authorise -j ACCEPT
Replace the IP address in the command with the IP address you want to authorise.
You can also block traffic from an IP address:
sudo iptables -A INPUT -s your_IP_address_to_block -j DROP
Replace the IP address in the command with the IP address you want to block.
You can reject traffic from an IP address range with the following command:
sudo iptables -A INPUT -m iprange --src-range your_start_IP_address-your_end_IP_address -j REJECT
The iptables options we used in the examples work as follows:
If you are defining iptables firewall rules, you must prevent unauthorised access by removing all traffic from other ports:
sudo iptables -A INPUT -j DROP
The -A option adds a new rule to the string. If a connection goes through ports other than those you have defined, it will be discontinued.
If you type this command before performing step 5, you will block all access including the current one, SSH access. This is particularly problematic on a machine you access remotely.
A more precise method is to delete the line number of a rule.
sudo iptables -P INPUT DROP
First, list all rules by entering the following:
sudo iptables -L --line-numbers
Locate the line for the firewall rule you want to remove and run this command:
sudo iptables -D INPUT <Number>
Number with the rule line number you want to delete.
When the system is restarted, iptables does not keep the rules you created. Whenever you configure iptables on Linux, any changes you make apply only until the next reboot.
To save rules to Ubuntu-based systems, type:
sudo -s iptables-save -c
The next time your system boots, iptables will automatically reload the firewall rules.
You can now configure basic iptables firewall rules for your Linux server. Feel free to experiment because you can always delete the rules you don't need, or empty all the rules and start over.
Join our community of users on https://community.ovh.com/en/.
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.
Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.Discuss with the OVHcloud community