VPS Tutorials for the masses!



In this how-to we will show you how to secure your VPS using IPTables. When you host a server on the internet, dedicated or a VPS, you need to constantly be aware of security. Blocking unwanted access to services is a good start and that is where IPTables comes in. IPTables is a host based firewall that is highly powerful. You can do a lot more than just permit access based on ports or source and desitination IP addresses. you can do natting or throttling as well. We will save those last few for a more advanced how-to.

The first thing we need to do obviously is install the packages.

Install IPTables Package

yum install iptables

Now to define a rule base. You need to stop here for a minute and think what services do you need to be reachable on this host? Is it a web server? Then ports 443 and 80 should suffice. But if you are running a mail server you may need port 25 as well. You also need to determin if you will respond to ping because ICMP needs to be tightened up. Then you need to think about established connections and internal loopback connections. You want all that to work as well. Then again you need to still be able to access your server so you will need port 22 for SSH.

We will use all these ports and protocols as an example. You can add or remove ports as needed for your setup.

Configure IPTables Rules

# Accept traffic from internal interfaces
iptables -A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
iptables -A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Allow connections to webserver
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow SSL connections to webserver
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#Allow connections to SMTP server for mail delivery
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

iptables save

Now you have a basic rulebase built but you still need to start the firewall. You also want to start IPTables on boot so you need to enable it.

Configure Services

/etc/init.d/iptables start

chkconfig iptables on

If everything went well you should still be able to access your server on the ports you have opened, yet any other services running, like VNC, will be blocked. You can test this using open-source tools like Nmap.