In this how-to we will show you how to secure your VPS using IPTables. When you host a server on the internet, dedicated or a VPS, you need to constantly be aware of security. Blocking unwanted access to services is a good start and that is where IPTables comes in. IPTables is a host based firewall that is highly powerful. You can do a lot more than just permit access based on ports or source and desitination IP addresses. you can do natting or throttling as well. We will save those last few for a more advanced how-to.
The first thing we need to do obviously is install the packages.
Install IPTables Package
yum install iptables
Now to define a rule base. You need to stop here for a minute and think what services do you need to be reachable on this host? Is it a web server? Then ports 443 and 80 should suffice. But if you are running a mail server you may need port 25 as well. You also need to determin if you will respond to ping because ICMP needs to be tightened up. Then you need to think about established connections and internal loopback connections. You want all that to work as well. Then again you need to still be able to access your server so you will need port 22 for SSH.
We will use all these ports and protocols as an example. You can add or remove ports as needed for your setup.
Configure IPTables Rules
# Accept traffic from internal interfaces iptables -A INPUT ! -i eth0 -j ACCEPT # Accept traffic with the ACK flag set -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT # Allow incoming data that is part of a connection we established iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT # Allow data that is related to existing connections iptables -A INPUT -m state --state RELATED -j ACCEPT # Accept responses to DNS queries iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT # Accept responses to our pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT # Accept notifications of unreachable hosts iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT # Accept notifications to reduce sending speed iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT # Accept notifications of lost packets iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT # Accept notifications of protocol problems iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT # Allow connections to our SSH server iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # Respond to pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT # Allow connections to webserver iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Allow SSL connections to webserver iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT #Allow connections to SMTP server for mail delivery iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT iptables save
Now you have a basic rulebase built but you still need to start the firewall. You also want to start IPTables on boot so you need to enable it.
/etc/init.d/iptables start chkconfig iptables on
If everything went well you should still be able to access your server on the ports you have opened, yet any other services running, like VNC, will be blocked. You can test this using open-source tools like Nmap.