Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Technical

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Old 14th November 2009, 14:43
Emil M Emil M is offline
Junior Member
Join Date: Nov 2009
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts
Default IPTables or any other firewall for server

Sorry, not quite sure where to poste this. I have a server that's running:

Webserver (http, https)
Mailserver (pop3s, imaps smtp)
FTP server (Explicit SFTP)
Databaseserver (no remote access)

Could there be any tutorial in here that fits my needs? I've no experience with iptables so far and everytime i tried i mess something (I basically try to block all ports except those I've read these services use)
Reply With Quote
Sponsored Links
Old 15th November 2009, 14:50
falko falko is offline
Super Moderator
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts

You could install some kind of wrapper scriot like shorewall or Bastille - they make it easy to configure iptables.
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Old 17th November 2009, 16:31
id10t id10t is offline
Senior Member
Join Date: Nov 2008
Posts: 242
Thanks: 2
Thanked 22 Times in 22 Posts

I like using ufw - very simple syntax

ufw allow 80

or if your service has keywords associated wtih it

ufw allow http
I'm a very happy linode.com customer, I'm sure you will be too!
Reply With Quote
The Following User Says Thank You to id10t For This Useful Post:
Emil M (18th November 2009)
Old 18th November 2009, 03:27
Emil M Emil M is offline
Junior Member
Join Date: Nov 2009
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts

Thanks. Works very well.. Can I limit port 22 / SSH to only some IPs?
Reply With Quote
Old 18th November 2009, 10:13
damir damir is offline
Senior Member
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts

This should work (change the IP):
sudo ufw allow proto tcp from to any port 22
Reply With Quote
Old 2nd December 2009, 04:28
btomasik btomasik is offline
Junior Member
Join Date: Nov 2009
Posts: 18
Thanks: 2
Thanked 0 Times in 0 Posts

This would be an example of a simple firewall doing exactly as you asked. Further complex configurations such as with logging, NAT, rate limiting, QoS, etc.. are not difficult and operate very similarly. Just remember iptables used to be called ipchains because essentially an incoming packet goes down it's initial chain (INPUT or FORWARD) until either 1. explicitly accepted 2. explicitily DROP/REJECT 3. is passed off to another chain. And if it meets no specific action (or jump [ie -j ACCEPT]) then it follows the default policy specified by running "iptables -P {INPUT,OUTPUT,FOWARD} {ACCEPT,DROP,REJECT}"

With that, consider the following:


# Accept all RELATED or ESTABLISHED tcp packets
$IPT -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow new http/https connections
$IPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Allow new smtp,pop3s,imaps
$IPT -A INPUT -p tcp -m multiport --dports 25,465,993 -j ACCEPT

# Allow new ftps connections
$IPT -A INPUT -p tcp -m multiport --dports 989,990 -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dports 989,990 -j ACCEPT

# Allow new SSH connection from ENTIRE internet
#$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow new SSH conn from only <IP>
$IPT -A INPUT -p tcp -s <IP> --dport 22 -j ACCEPT

# The below code will ensure that no other incoming
# packets are accepted nor packets that could be
# destined for FORWARD'ing to other machines.
Reply With Quote


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Howto analyse a IPTables firewall issue? chillifire Installation/Configuration 2 27th August 2008 08:23
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 13:02
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 22:23
RedHat AS 4 firewall iptables question. fbifido Installation/Configuration 2 9th November 2007 23:13
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 19:30

All times are GMT +2. The time now is 22:51.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.