Admin: New server guide

2026-04-13T10:00:58Z

New server guide

New page

== Setting Up iptables Firewall ==

This guide provides a comprehensive overview of setting up and managing the iptables firewall on Linux systems. iptables is a powerful command-line utility that allows you to configure the Linux kernel firewall. It enables you to define rules for packet filtering, network address translation (NAT), and more, acting as a crucial layer of security for your server.

== Prerequisites ==

Before you begin, ensure you have the following:

* A Linux server (e.g., Ubuntu, Debian, CentOS).
* Root or sudo privileges on the server.
* Basic understanding of networking concepts (IP addresses, ports, protocols).
* SSH access to your server.

== Understanding iptables Basics ==

iptables operates using a set of ''tables'', each containing ''chains'' of ''rules''.

* '''Tables''': The most common tables are:
** '''filter''': Used for packet filtering (allowing or denying traffic). This is the default table.
** '''nat''': Used for Network Address Translation (e.g., port forwarding, masquerading).
** '''mangle''': Used for altering packet headers (e.g., Quality of Service).
* '''Chains''': These are sequences of rules that packets traverse. Common built-in chains are:
** '''INPUT''': For packets destined for the local system.
** '''OUTPUT''': For packets originating from the local system.
** '''FORWARD''': For packets that are routed through the system (not destined for it).
* '''Rules''': Each rule specifies criteria for matching packets and an action to take (e.g., ACCEPT, DROP, REJECT).

== Basic Firewall Configuration (Filter Table) ==

The ''filter'' table is where you'll define most of your security policies.

=== Default Policies ===

It's good practice to set default policies that are restrictive, then explicitly allow what you need.

# Set the default policy for the INPUT chain to DROP (block all incoming traffic by default).
<pre>sudo iptables -P INPUT DROP</pre>

# Set the default policy for the FORWARD chain to DROP (if your server acts as a router, otherwise DROP is fine).
<pre>sudo iptables -P FORWARD DROP</pre>

# Set the default policy for the OUTPUT chain to ACCEPT (allow all outgoing traffic by default).
<pre>sudo iptables -P OUTPUT ACCEPT</pre>

=== Allowing Essential Traffic ===

Now, we need to allow specific traffic that is essential for your server to function.

# Allow traffic on the loopback interface (localhost). This is crucial for many local services.
<pre>sudo iptables -A INPUT -i lo -j ACCEPT</pre>

# Allow established and related connections. This is vital for return traffic from outgoing connections.
<pre>sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</pre>

# Allow SSH (port 22) to enable remote access. Replace 22 with your SSH port if you've changed it.
<pre>sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT</pre>

# Allow HTTP (port 80) for web servers.
<pre>sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT</pre>

# Allow HTTPS (port 443) for secure web servers.
<pre>sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT</pre>

=== Viewing iptables Rules ===

To see the rules you've added, use the following command:

<pre>sudo iptables -L -v -n</pre>

* `-L`: List rules.
* `-v`: Verbose output (shows interface, packet/byte counts).
* `-n`: Numeric output (shows IP addresses and port numbers instead of resolving them).

== Network Address Translation (NAT) ==

NAT is used to modify network address information in packet headers. A common use case is masquerading, where your server acts as a gateway for a private network, giving it internet access.

=== Enabling IP Forwarding ===

For NAT to work, you need to enable IP forwarding in the kernel.

1. Edit the sysctl configuration file:
<pre>sudo nano /etc/sysctl.conf</pre>
2. Uncomment or add the following line:
<pre>net.ipv4.ip_forward=1</pre>
3. Save and close the file.
4. Apply the changes immediately:
<pre>sudo sysctl -p</pre>

=== Setting Up Masquerading ===

This rule allows traffic from a private network (e.g., 192.168.1.0/24) to access the internet through your server's public IP address. Replace `eth0` with your server's public network interface.

<pre>sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</pre>

This command tells iptables to masquerade (hide) the source IP address of packets leaving the `eth0` interface with the IP address of `eth0` itself.

== Port Forwarding ==

Port forwarding allows you to direct incoming traffic on a specific port on your server to a different IP address and/or port on your internal network.

For example, to forward traffic from your server's port 8080 to an internal web server at 192.168.1.100 on port 80:

1. First, ensure that the FORWARD chain is configured to accept the traffic. If your default FORWARD policy is DROP, you'll need to allow it:
<pre>sudo iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.100 -j ACCEPT</pre>
(Adjust the destination IP and port as needed).

2. Then, add the NAT rule to redirect the traffic.
<pre>sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80</pre>

This rule tells iptables: "When a TCP packet arrives destined for port 8080 on this server, change its destination to 192.168.1.100 on port 80."

== Saving iptables Rules ==

iptables rules are volatile and will be lost upon reboot unless saved. The method for saving rules varies by distribution.

=== For Debian/Ubuntu ===

1. Install the `iptables-persistent` package:
<pre>sudo apt-get update</pre>
<pre>sudo apt-get install iptables-persistent</pre>
During installation, you'll be prompted to save the current IPv4 and IPv6 rules.

2. To save rules manually after making changes:
<pre>sudo netfilter-persistent save</pre>

=== For CentOS/RHEL (using `iptables-services`) ===

1. Install `iptables-services`:
<pre>sudo yum install iptables-services</pre>
Or for newer systems:
<pre>sudo dnf install iptables-services</pre>

2. Enable and start the service:
<pre>sudo systemctl enable iptables</pre>
<pre>sudo systemctl start iptables</pre>

3. Save the current rules:
<pre>sudo service iptables save</pre>
Or:
<pre>sudo iptables-save > /etc/sysconfig/iptables</pre>

== Advanced Techniques and Considerations ==

* '''Rate Limiting''': Protect against brute-force attacks by limiting the rate of incoming connections.
<pre>sudo iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 5 -j DROP</pre>
This example drops connections if more than 5 new connections per minute are attempted to port 22.

* '''Stateful Firewall''': The `conntrack` module (used in `ESTABLISHED,RELATED`) makes iptables stateful, meaning it tracks the state of network connections.

* '''IPv6 Firewall''': Remember to configure `ip6tables` for IPv6 traffic if your server uses it. The syntax is very similar to `iptables`.

* '''GPU Servers''': For demanding applications like machine learning inference or training, consider dedicated GPU servers. You can find cost-effective options at [https://en.immers.cloud/signup/r/20241007-8310688-334/ Immers Cloud], with pricing starting from $0.23/hr for inference to $4.74/hr for H200 GPUs.

== Troubleshooting ==

* '''Can't connect to SSH''':
* Double-check that the SSH port (default 22) is explicitly allowed in your INPUT chain.
* Ensure your default INPUT policy is not DROP or that you have an ACCEPT rule for your IP address.
* Verify that `iptables-persistent` or `iptables-services` is configured to load rules on boot.

* '''Website not accessible''':
* Confirm that ports 80 and 443 are open in the INPUT chain.
* If using NAT/port forwarding, ensure the FORWARD chain is configured correctly and the NAT rule is present and correct.

* '''iptables commands not found''':
* Ensure the `iptables` package is installed on your system.
* For persistent saving, ensure `iptables-persistent` (Debian/Ubuntu) or `iptables-services` (CentOS/RHEL) is installed and configured.

== Further Reading ==

* [[Firewall Configuration]]
* [[SSH Security Best Practices]]
* [[Basic Linux Networking]]

[[Category:Security]]
[[Category:Networking]]
[[Category:Firewall]]

Setting Up iptables Firewall - Revision history

Admin: New server guide