sudo iptables -L<\/em> as before.<\/p>\n\n\n\nNext, traffic to a specific port will be allowed to enable SSH connections with the following:<\/p>\n\n\n\n
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT<\/pre>\n\n\n\nThe ssh<\/em> in the command translates to port number 22, which the protocol uses by default. The same command structure can also be used to allow traffic to other ports. To enable access to an HTTP web server, use the following command.<\/p>\n\n\n\nsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT<\/pre>\n\n\n\nAfter adding all the allowed rules you require, change the input policy to drop.<\/p>\n\n\n\n
Warning:<\/span> Changing the default rule to drop will permit only specifically accepted connections. Before changing the default rule, make sure you\u2019ve enabled at least SSH, as shown above.<\/p>\n\n\n\nsudo iptables -P INPUT DROP<\/span><\/pre>\n\n\n\nThe same policy rules can also be defined for other chains by entering the chain name and selecting either DROP or ACCEPT.<\/p>\n\n\n\n
Saving and restoring rules<\/h2>\n\n\n\n
Now, if you were to restart your cloud server, all of these iptables configurations would be wiped. To prevent this, save the rules\u00a0to a file.<\/p>\n\n\n\n
sudo sh -c 'iptables-save > \/etc\/iptables\/rules.v4'<\/pre>\n\n\n\nYou can then simply restore the saved rules by reading your saved file.<\/p>\n\n\n\n
# Overwrite the current rules\nsudo iptables-restore < \/etc\/iptables\/rules.v4\n# Add the new rules keeping the current ones\nsudo iptables-restore -n < \/etc\/iptables\/rules.v4<\/pre>\n\n\n\nYou can automate the restore process at reboot by installing an additional package for iptables, which takes over the loading of the saved rules. To this with the following command.<\/p>\n\n\n\n
sudo aptitude install iptables-persistent<\/pre>\n\n\n\nAfter the installation, the initial setup will ask you to save the current rules for IPv4 and IPv6. Just select Yes<\/em> and press enter for both.<\/p>\n\n\n\nIf you make further changes to your iptables rules, remember to save them again using the same command as above. The iptables-persistent looks for the files rules.v4<\/em> and rules.v6<\/em> under \/etc\/iptables<\/em>.<\/p>\n\n\n\nThese are just a few simple commands you can use with iptables, which is capable of much more. Read on to check on some of the other options available for more advanced control over iptable rules.<\/p>\n\n\n\n
Advanced rule setup<\/h2>\n\n\n\n
As per basic firewall behaviour, the rules are read in the order they are listed on each chain, which means you\u2019ll need to put the rules in the correct order. Appending new rules adds them to the end of the list. You can add new rules to a specific list position by inserting them using iptables -I <index><\/em> -command, where the <index><\/em> is the order number in which you wish to insert the rule. To know which index number to enter, use the following command.<\/p>\n\n\n\nsudo iptables -L --line-numbers<\/pre>\n\n\n\nChain INPUT (policy DROP)\n num target prot opt source destination\n 1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED\n 2 ACCEPT tcp -- anywhere anywhere , dpt:ssh\n 3 ACCEPT tcp -- anywhere anywhere tcp dpt:http<\/pre>\n\n\n\nThe number at the beginning of each rule line indicates the position in the chain. To insert a new rule above a specific existing rule, simply use the index number of that existing rule. For example, to insert a new rule at the top of the chain, use the following command with index number 1.<\/p>\n\n\n\n
sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT<\/pre>\n\n\n\nIf you wish to remove an existing rule from a certain chain, use the delete command with the parameter -D<\/em>. The easiest way to select the deletion rule is to use the abovementioned index numbers. For example, use this command to delete the second rule on the input chain.<\/p>\n\n\n\nsudo iptables -D INPUT 2<\/pre>\n\n\n\nIt\u2019s also possible to flush all rules of a specific chain or even all the iptables using the -F -parameter. This is useful if you suspect iptables is interfering with your attempted network traffic or you simply wish to start configuring again from a clean table.<\/p>\n\n\n\n
Warning:<\/span> Make sure you set the default rule to ACCEPT before flushing any chain.<\/p>\n\n\n\nsudo iptables -P INPUT ACCEPT<\/span><\/pre>\n\n\n\nAfterwards, you can go ahead and clear other rules. Remember to save the rules to a file before flushing the table in case you want to restore the configuration later.<\/p>\n\n\n\n
# Clear input chain\nsudo iptables -F INPUT\n# Flush the whole iptables\nsudo iptables -F<\/pre>\n\n\n\nWith the iptable<\/tt> flushed, your server could be vulnerable to attacks. Secure your system with an alternative method while disabling iptables, even temporarily.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","community-category":[259,253],"class_list":["post-2407","tutorial","type-tutorial","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial"}],"about":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/types\/tutorial"}],"author":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/comments?post=2407"}],"version-history":[{"count":0,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2407\/revisions"}],"wp:attachment":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/media?parent=2407"}],"wp:term":[{"taxonomy":"community-category","embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/community-category?post=2407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}