This guide helps you secure your server by blocking all ports except those you explicitly allow, reducing potential attack vectors.
Follow the steps:
- Remove Current Rules:
- Connect to your server as root.
- Run these commands to delete existing rules:
iptables -t filter -F iptables -t filter -X
- Block All Traffic:
- Run these commands to block all incoming, forwarding, and outgoing traffic:
iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP
- Run these commands to block all incoming, forwarding, and outgoing traffic:
- Allow Established Connections:
- To keep existing connections working, run:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- To keep existing connections working, run:
- Allow Loopback Connections:
- For internal server processes, allow loopback connections:
iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT
- For internal server processes, allow loopback connections:
- Allow Specific Ports:
- For example, to allow HTTP traffic (port 80), run:
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
- To allow SSH traffic (port 22), run:
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
- To allow SSH traffic from a specific IP, run:
iptables -I INPUT -p tcp -m tcp -s 101.69.69.101 --dport 22 -j ACCEPT iptables -I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 22 -j DROP
- For example, to allow HTTP traffic (port 80), run:
- Allow Port Range:
- To allow a range of ports (e.g., 1024 to 2000), run:
iptables -t filter -A OUTPUT -p tcp --dport 1024:2000 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 1024:2000 -j ACCEPT
- To allow a range of ports (e.g., 1024 to 2000), run:
- Block All UDP Except DNS (Port 53):
- Allow DNS requests:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
- Block all other UDP traffic:
iptables -A OUTPUT -p udp -j DROP ip6tables -A OUTPUT -p udp -j DROP
- Allow DNS requests:
- Allow Specific DNS Servers:
- To allow requests to specific DNS servers:
iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -d 8.8.4.4 -j ACCEPT
- To allow requests to specific DNS servers:
- Disable Ping Requests:
- To disable outgoing ping requests:
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
- To disable incoming ping requests:
iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
- To disable outgoing ping requests:
- Save and Restart:
- Save your iptables configuration:
iptables-save > /etc/sysconfig/iptables
- Restart the iptables service:
service iptables restart
- Save your iptables configuration:
In this manner, you can secure your server by blocking all ports to reduce possible attacks. Hope you grasped everything well. Check out our latest web hosting plans.
Need to block specific IP addresses or domains? Check out our guide on How to Block an IP address or a Domain Name Using cPanel.