Iptables Tutorial: Securing Your VPS with the Linux Firewall
- HolyHosting
- Oct 30
- 5 min read
Iptables Tutorial: Securing Your VPS with the Linux Firewall
Are you looking for a complete tutorial on iptables for your VPS? This article will show you how to install and use iptables on an Ubuntu system. You can secure your VPS using the command-line interface by learning about this Linux firewall tool.
What is Iptables?
Iptables is a firewall program for Linux. It monitors traffic to and from your server using tables. These tables contain sets of rules, called chains, which filter incoming and outgoing data packets.
How Does Iptables Work?
When a packet matches a rule, it is assigned a target, which can be another chain or one of these special values:
ACCEPT: allows the packet to pass.
DROP: prevents the packet from passing.
RETURN: stops the packet from going through a chain and tells it to return to the previous chain.
In this iptables tutorial, we will work with one of the default tables called "filter." This table has three chains:
INPUT: controls packets coming into the server.
FORWARD: filters incoming packets that will be forwarded elsewhere.
OUTPUT: filters packets leaving your server.
Before starting this guide, make sure you have root or sudo SSH access to your machine running Ubuntu 16.04 or higher. You can connect via PuTTY (Windows) or the terminal (Linux, macOS). If you have a Holy VPS, you can find your SSH login details in the "Servers" tab of hPanel.
Important: iptables rules only apply to IPv4. If you want to configure a firewall for IPv6, you need to use "ip6tables" instead.
How to Install and Use the Linux Iptables Firewall
We’ll divide this iptables tutorial into three steps. First, you’ll learn how to install the tool on Ubuntu. Second, we’ll show you how to define rules. Finally, we’ll guide you through making iptables changes persistent.
1. Install Iptables
Iptables comes preinstalled on most Linux distributions. However, if you don’t have it on your Ubuntu/Debian system by default, follow these steps:
Connect to your server via SSH. If you don’t know how, check our SSH tutorial.
Run the following commands one by one:
sudo apt-get update
sudo apt-get install iptables
Check the status of your current iptables configuration by running:
sudo iptables -L -v
Here, the -L option lists all rules, and -v shows detailed information.
You’ll get output similar to this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Now you have the Linux iptables firewall installed. At this point, you’ll notice all chains are set to ACCEPT and have no rules. This is not secure since any packet can pass through unfiltered.
Don’t worry, we’ll show you how to define rules in the next step of our iptables tutorial.
2. Define Chain Rules
Defining a rule means adding it to a chain. To do this, use the -A (Append) option right after the iptables command, like this:
sudo iptables -A
This tells iptables you are adding new rules to a chain. You can then combine the command with other options, such as:
-i (interface): the network interface you want to filter traffic from, like eth0, lo, ppp0, etc.
-p (protocol): the network protocol where filtering takes place. It can be tcp, udp, udplite, icmp, sctp, icmpv6, and more. Alternatively, you can write "all" to choose all protocols.
-s (source): the address the traffic comes from. You can add a hostname or an IP address.
--dport (destination port): the target port number of a protocol, like 22 (SSH), 443 (https), etc.
-j (target): the target name (ACCEPT, DROP, RETURN). You must include this every time you create a new rule.
To use all these parameters, write the command in this order:
sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp)> -s <source> --dport <port number> -j <target>
Once you understand the basic syntax, you can start configuring the firewall to make your server more secure. For this iptables tutorial, we’ll use the "INPUT" chain as an example.
Enable Traffic on localhost
To allow traffic on localhost, run:
sudo iptables -A INPUT -i lo -j ACCEPT
For this tutorial, we use "lo" or the loopback interface. It is used for all communications on localhost. The command above ensures connections between a database and a web application on the same machine work correctly.
Enable Connections on HTTP, SSH, and SSL Ports
Next, we want http (port 80), https (port 443), and ssh (port 22) connections to work normally. To do this, specify the protocol (-p) and the corresponding port (--dport). Run these commands one by one:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Now check if the rules have been added in iptables:
sudo iptables -L -v
It should return results showing that all TCP connections from the specified ports will be accepted.
Filter Packets by Source
Iptables lets you filter packets by a single IP or range of IPs. Specify it after the -s option. For example, to accept packets from 192.168.1.3, run:
sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT
You can also block packets from a specific IP by replacing ACCEPT with DROP:
sudo iptables -A INPUT -s 192.168.1.3 -j DROP
To block packets from a range of IPs, use the -m option with the iprange module. Then specify the range with --src-range, using a hyphen without spaces:
sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP
Filtering packets by source is crucial if you use an intrusion detection and prevention system (IDS/IPS) like Suricata. This tool monitors your VPS network and alerts you about malicious traffic.
IDS/IPS shows the sources of malicious packets, which you can add to your iptables block list. Check our article to learn more about configuring Suricata on Ubuntu.
Block All Other Traffic
It’s important to use the DROP target for all other traffic after defining --dport rules. This prevents unauthorized connections from accessing the server through other open ports. To do this, run:
sudo iptables -A INPUT -j DROP
Now, connections outside the specified ports will be blocked.
Delete Rules
To delete all rules and start fresh, use the -F (flush) option:
sudo iptables -F
This clears all current rules. To delete a specific rule, use the -D option. First, list all rules with:
sudo iptables -L --line-numbers
You’ll get a numbered list:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 192.168.0.4 anywhere
2 ACCEPT tcp -- anywhere anywhere tcp dpt:https
3 ACCEPT tcp -- anywhere anywhere tcp dpt:http
4 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
To remove a rule, enter the chain and the number from the list. For example, to delete rule number three from the "INPUT" chain:
sudo iptables -D INPUT 3
Alternatively, if you only need to filter incoming traffic, you can use Holy VPS Firewall. Select your VPS and go to the Firewall section.
Conclusion
We hope this guide has been helpful! 🚀 Remember, don’t hesitate to ask questions on the HolyHosting Discord or contact our support team.
Follow us on Twitter @HolyHosting to stay up to date.
Stuffy @ HolyHosting
