IP tables and ufw can be used to allow access to your servers ports. If you have a webserver running then you will need to allow port 80 (standard http port) to enable people access to your website.
Please note, these are standard ports and can vary.
CentOS – iptables
iptables -L will list the current iptables rule
iptables -nL will list the current iptable rules and their port number
Allowing http (port 80)
iptables -I INPUT 1 -p tcp –dport 80 -j ACCEPT
The above rule adds itself to the top of your rule list using the -I INUPT 1. It means ‘input’ this rule to position 1. Alternatively you can change the number 1 to any number you wish (expect a number that exceeds your list length)
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
The above rule opens port 80 like before however the -A appends the rule to the bottom of the list of rules.
Allowing mysql (3306) – this rule allows mysql to be accessed remotely, you do not need this rule for local access or for your website to access your db.
iptables -I INPUT 1 -p tcp –dport 3306 -j ACCEPT
It is VERY important to remember to save your iptables once you add new rules. Failure to save the rules means that they will all be lost if the server is restarted. This can mean that you are unable to access your server if you have changed the default ssh port and the rule is lost. BE CAREFUL
To save iptable rules use:
service ipables save
This should write the rules to /etc/sysconfig/iptables
Blocking a specific IP address:
iptables -I INPUT 1 -s “$block this ip” -j DROP
To drop an iptables rule you will need to know the number of the in the list, you can either count the lines or use your normal command with –line-numbers after. E.g: iptables -nL –line-numbers
Once you know the line number you can delete the rule using:
iptables -D INPUT #
Replace the # with the rule number you would like to drop
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Allow ssh from a specific network:
iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
Allow mysql from a specific network:
iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
Help prevent a DDos:
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
- -m limit: This uses the limit iptables extension
- –limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
- –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level
Ubuntu – ufw (uncomplicated firewall)
Ufw is a lot easier to use AND the rules are automatically saved when you enter them
ufw status this will show the current rules
ufw allow 80 this will allow http
ufw allow 443 this allows ssl traffic
ufw allow 3306 will allow mysql access remotely
Please see fail2ban guide for information on whitelisting and blacklisting IP addresses to your server.