Iptables Tutorial – Securing Ubuntu VPS with Linux Firewall

Are you looking for a complete iptables tutorial for your VPS? Hold still. In this article, we will show you how to install and use iptables on Ubuntu system. By learning about this Linux firewall tool, you can secure your VPS using the command line interface.

What is Iptables and how does it work?

Simply put, iptables is a firewall program for Linux. It will monitor traffic to and from your server using tables. These tables contain sets of rules, called strings, that will filter incoming and outgoing data packets.

When a packet

matches a rule, it is given a destination, which can be another string or one of these special values:

ACCEPT – will allow the packet

  • to pass through
  • .

  • DROP – will not let
  • the package pass.

  • RETURN – prevents the packet from going through a chain and tells it to go back to the previous chain.

In this iptables tutorial, we are going to work with one of the default tables, called a filter. It consists of three strings:

INPUT – controls incoming packets to the server. FORWARD – filters

  • incoming packets that will be forwarded elsewhere. OUTPUT – filters packets leaving
  • your server.

Before you begin this guide, make sure you have SSH root or sudo access to your machine running on Ubuntu 16.04 or higher. You can establish the connection via PuTTY (Windows) or terminal shell (Linux, macOS). If you own Hostinger VPS, you can get the SSH login details from the Servers tab of hPanel.

How to install and use Iptables Linux Firewall

We will divide this iptables tutorial into three steps. First, you will learn how to install the tool on Ubuntu. Second, we’re going to show you how to define the rules. Finally, we’ll guide you through making persistent changes to iptables.

Step 1 — Installing

Iptables Iptables comes pre-installed on most Linux distributions. However, if you don’t have it on Ubuntu/Debian system by default, follow the steps below:

  1. Connect to your server via SSH. If you don’t know, you can read our SSH tutorial.
  2. Run the following command one by one: sudo apt-get update sudo

  3. apt-get install
  4. iptables

  5. Check the status of your current iptables configuration by running: sudo iptables -L -v Here, the –

    L option is used to list all the rules, and -v is to display the information in a more detailed format. The following is the example output:

    String INPUT

(ACCEPT policy 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (ACCEPT policy 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (ACCEPT policy 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

You will now have the Linux firewall installed. At this point, you may notice that all strings are set to OK and have no rules. This is not safe as any packet can pass unfiltered.

Do not worry. We will tell you how to define rules in the next step of our iptables tutorial.

Step 2 – Defining String Rules

Defining a rule means adding it to the chain. To do this, you need to insert the -A (Append) option right after the iptables command, like this:

sudo iptables –

A It will alert iptables that you are adding new rules to a string. Then, you can combine the command with other options

, such as: -i (interface) – the network

  • interface whose traffic you want to filter, such as eth0, lo, ppp0, etc. –p (protocol) – the network
  • protocol where your filtering process takes place. It can be tcp, udp, udplite, icmp, sctp, icmpv6, etc. Alternatively, you can type everything to choose each protocol.
  • -s (source) — the direction the traffic is coming from. You can add a host name or IP address.
  • -dport (destination port) — the destination port number of a protocol, such as 22 (SSH), 443 (https), etc.
  • -j (destination) — the name of the destination (ACCEPT, DROP, RETURN). You should insert this every time you make a new rule.

If you want to use them all, you must type the command in this order:

sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp) > -s <source> -dport <port no.> -j <target> Once you understand the

basic syntax, you can start configuring the firewall to give your server more security. For this iptables tutorial, let’s use the INPUT string as an example.

Enabling

traffic on

localhost To allow traffic on localhost, type this command:

sudo iptables -A INPUT -i lo -j ACCEPT

For this iptables tutorial, we use lo or loopback interface. It is used for all communications on the local host. The above command will ensure that connections between a database and a web application on the same machine work correctly.

Enabling HTTP connections,

SSH and SSL port

Next, we want HTTP (port 80), HTTPS (port 443), and SSH (port 22) connections to work as usual. To do this, we need to specify the protocol (-p) and the corresponding port (-dport). You can run these commands one by one

: sudo iptables -A INPUT -p tcp -dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp -dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp -dport 443 -j ACCEPT

It’s time to check if the rules have been added in

iptables: sudo iptables -L -v

You should come back with the results below, which means that all TCP protocol connections from the specified ports will be accepted:

Source

iptables-based packet filtering allows you to filter packets based on an IP address or range of IP addresses. You must specify it after the -s option. For example, to accept packets from 192.168.1.3, the command would be: sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT You can also reject packets from a specific IP address by replacing the ACCEPT destination with DROP. sudo iptables -A INPUT -s 192.168.1.3 -j DROP If you want to delete packets from a range of IP addresses, you have to

use the

-m option and the iprange module . Then specify the IP address range with –src-range. Remember, a hyphen should separate the range of unspaced ip addresses, like this:

sudo iptables -A INPUT -m iprange -src-range 192.168.1.100-192.168.1.200 -j DROP

Remove all

other traffic

It is crucial to use the DROP target for all other traffic after defining the -dport rules. This will prevent an unauthorized connection from accessing the server through other open ports. To achieve this, simply type:

sudo iptables -A INPUT -j DROP

Now, the connection outside the specified port will be deleted

.

Deleting

rules

If you want to delete all rules and start with a clean board, you can use the -F (flush) option: sudo iptables -F

This command clears all current rules. However, to delete a specific rule, you must use the -D option. First, you need to see all the available rules by entering the following command

: sudo iptables -L -line-numbers

You will get a list of rules with numbers

: String INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all – 192.168.0.4 anywhere 2 ACCEPT tcp – anywhere anywhere anywhere tcp dpt: https 3 ACCEPT tcp – anywhere anywhere tcp dpt: http 4 ACCEPT tcp – anywhere anywhere tcp dpt:ssh

To delete a rule, insert the corresponding string and number from the list. Let’s say that for this iptables tutorial, we want to get rid of rule number three of the INPUT chain. The command should be:

sudo iptables -D INPUT 3

Step 3 – Persist

changes

The iptables rules we have created are stored in memory. That means we have to save them to a file so we can load them again after a reboot. To make these changes, you can use these commands depending on whether you are saving IPv4 or IPv6

rules: sudo iptables-save > /etc/iptables/rules.v4 sudo iptables-save > /etc/iptables/rules.v6

Now, every time you restart your VPS, you will need to load the saved rules with the following commands:

sudo iptables-restore < /etc/iptables/rules.v4 sudo iptables-restore < /etc/iptables/rules.v6

If you want the upload process to be completely automatic, you can configure the IPTats-Persistent package and it will take care of loading the rules.

sudo apt-get install iptables-persistent

After installation, you will be prompted to save the current rules. Choose Yes for IPv4 and IPv6 and finish the configuration. Now the upload process will be automatic. Note that you will still need to use the sudo iptables-save command whenever you make changes to iptables.

Conclusion

Iptables is a powerful firewall program that you can use to protect your Linux or VPS server. The good thing is that you can define several rules based on your preferences.

In this iptables tutorial, you learned how to install and use the tool. Now, we hope you can manage your rule sets to filter incoming and outgoing packets.

It’s time to try it yourself and good luck!