When setting up an Ubuntu server, you'll want to establish basic security including a firewall to only allow certain types of requests, and to allow only certain types of responses. This code will:
- Flush your current firewall
- Because it's our server and we're not hosting other people's stuff (like a shared server), we'll allow all output
- Allow input requests for SSH, Port 80 and 443 (Web and TLS (SSL))
- Log bad requests with the prefix "iptables denied:"
- Then save these rules to a file called
/etc/iptables.up.rules
Note: Run the following as the
sudo
user
iptables -F
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables-save > /etc/iptables.up.rules
iptables-restore < /etc/iptables.up.rules
When you server restarts, the default is to use Ubuntu's Defalut IP Tables. To use our custom ones, we'll need to edit this file to re-establish our rules:
nano /etc/network/if-pre-up.d/iptables
Edit the file to look like this:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
Make the file executable
chmod +x /etc/network/if-pre-up.d/iptables
Thanks Brad! I'm really getting a lot out of your web server workflow series on youtube.com!