How to Harden IPTABLES in your Ubuntu/debian Server


Today I’ll post a simple Iptables configuration , to harden a server connection , before apply any of this changes remember that if  your server brings X services , this configuration will close the server to 2 operating ports

22 SSH and 80 ( HTTP)

All remaining ports will be closed , so be carefull  and if you need to open more ports just repeat step 1

0. Open  Unix console / SSH console

1.Check your Iptables version 

$sudo Iptables -V

2015-08-05 10_38_06-desktop@ns315165_ ~

2.Allowing Ports ( 22 & 80 ) , If you need more ports to open , this is the way

# /sbin/iptables -A INPUT -i eth0 -p tcp /UDP--dport (portnumber) -j ACCEPT

Opening 22 & 80 !

# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

  • -A INPUT : our instruction to firewall
  • -i eth0 : our interface wanted to apply rule
  • -p tcp : protocol , in this case TCP
  • –dport 22 : instruction over the port 22
  • -j ACCEPT : we accept this traffic ;D

You can list your rules with the command : $Sudo iptables -L ,

as you can see I’ve configured yet , and you can watch the fail2ban rules ( this blocks ssh attackers ip adding iptables deny rules )

# /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

We see that the default policy is to accept everything = > Chain INPUT ( policy ACCEPT ) .

We want to block all traffic that does not have prior authorization, so we will add the instruction to block all other


3.Before blocking we gonna put this instruction

Then comes a problem: when a connection is to be made from our server to the eg server to download the new kernel (just an example) , it will connect to the website and will wait for their response . The connection request will be fine but … will fail the coming back connection

So..we select the state .. because iptables is powerful

# /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

4. Bloquing

this is the command for blocking all connections , is better REJECT than drop , because the “drop” returns to the senders the answer of a packet request… or wathever they are doing

# /sbin/iptables -A INPUT -i eth0 -j REJECT

Grats , now you have your ports well closed!!




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.