There was a problem loading the comments.

User Guide - Using iptables to Enhance Security of your VPS

Support Portal  »  Knowledgebase  »  Viewing Article

Applicable Plans: All Standard VPS, all Advanced VPS, all Premier VPS plans

The purpose of this document is to allow you to setup firewall rules, using iptables, in order to secure your virtual private server (VPS). iptables is a standard part of all modern Linux distributions. It is the tool by which administrators create rules for packet filtering and NAT modules.

The best practice for an effective firewall is to define all ports that should be allowed and block everything else.

This user guide will assume that you are logged into your virtual private server via SSH as root or an account with sudo privileges, and you have a basic understanding of Linux security and the command line. This guide is NOT for beginners. If you are unsure about anything described here please contact eApps technical support. Warning: if you do not carefully follow these instructions, you can accidentally block yourself out of your server. If this happens, you can login to your control panel and restart iptables on your VPS. It is worth noting that the eApps network is already protected by a firewall, however, it is still a good idea to decrease your exposure to the outside by using iptables.

iptables works like most other firewalls in that it will compare a packet to a list of rules, apply that rule to the packet (allow or drop), then move on to the next packet.

There are three default chains for which you can add rules. These are INPUT OUTPUT AND FORWARD. This document will only focus on INPUT as our systems do not typically act as routers or gateways.

Run netstat to see the ports on which your server is listening for connections.

netstat -an

Ports that you might want to keep open are:

FTP-data 20 Only if you use FTP on your server
FTP 21
SMTP 25 Sendmail
DNS 53 Domain Name Service
WWW 80 Standard web server port
POP3 110 For receiving email
IMAP 143
IMAP3 220
LDAP 389 Lightweight Directory Access Protocol
HTTPS 443 HTTP using SSL
SMTPS 465 Secure SMTP
IMAPS 993 Secure IMAP
MySQL 3306 Only use if you need to access your database from the outside
PostgreSQL 5432
SVN 3690 SubVersion
Webcache 8080 To access Tomcat of JBoss directly

For other services you should take a look at /etc/services and remove any services that you know you are not using or that do not need to be accessed from outside localhost.

First you want to allow connections from the services that you do really need to connect to from outside your VPS.

The first rules you should add are:

iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp -m tcp --sport 25
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT

Now that you won't block yourself out of SSH you can continue adding services that you need to access from the Internet.

iptables -A INPUT -j ACCEPT -p tcp --dport [port number]

Then allow connections for all other services that you might need from localhost.

iptables -A INPUT -j ACCEPT --source

If you want to be able to ping your VPS (you may not want to allow ping as it can be used as a DoS or DDoS attack)

iptables -A INPUT -p icmp -j ACCEPT

Now Deny EVERYTHING else (make absolutely sure that this is the last rule in your list).

iptables -A INPUT -j DROP -p all

Now back up any previous configurations you might have saved.

cp /etc/sysconfig/iptables{,.bak-`date +%F`}

Save the current running configuration.

iptables-save > /etc/sysconfig/iptables

Then (re)start iptables and verify that your settings were successful.

/etc/init.d/iptables start
/etc/init.d/iptables status

You'll also want to make sure that the iptables service is set to start by default.

chkconfig iptables on

To removeĀ a single rule:

iptables -D INPUT [number of the rule]


iptables -D INPUT [text of the rule]

To remove all rules:

iptables -F INPUT


This simple but VERY effective policy only allows traffic that you intend and can greatly reduce the chance that your VPS can be hacked. The fewer services that you have available to the Internet the better. An optimal situation would be to have ports 22, 80, 443, 110, 143, and 25 visible from the outside. This would allow access your VPS via SSH, web surfing in both normal mode and SSL, and allow POP and IMAP, and SMTP for email.

Share via
Did you find this article useful?  

Related Articles

On-Premise Help Desk Software by SupportPal


© Cloudscale365