A properly configured firewall is the first line of defense for any Linux server. This guide covers both the traditional iptables and the modern nftables frameworks, giving you the knowledge to secure your systems effectively.
iptables Basics
# View current rules
sudo iptables -L -v -n
# Default policy: Drop all incoming, allow outgoing
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow ping
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPTRate Limiting with iptables
# Limit SSH connections (prevent brute force)
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
# Limit ping
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 4 -j ACCEPTnftables: The Modern Replacement
# /etc/nftables.conf
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established connections
ct state established,related accept
# Allow loopback
iif lo accept
# Allow SSH
tcp dport 22 accept
# Allow HTTP/HTTPS
tcp dport { 80, 443 } accept
# Allow ICMP
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Log dropped packets
log prefix "nftables-dropped: " counter drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}NAT Configuration
# nftables NAT
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
oifname "eth0" masquerade
}
chain prerouting {
type nat hook prerouting priority -100;
tcp dport 8080 redirect to :80
}
}Saving and Restoring Rules
# iptables
sudo iptables-save > /etc/iptables/rules.v4
sudo iptables-restore < /etc/iptables/rules.v4
# nftables
sudo nft list ruleset > /etc/nftables.conf
sudo systemctl enable nftablesUFW: Simplified Firewall
# Enable UFW
sudo ufw enable
# Allow services
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
# Allow specific port
sudo ufw allow 3000/tcp
# Allow from specific IP
sudo ufw allow from 192.168.1.0/24 to any port 22
# Check status
sudo ufw status verboseSecurity Best Practices
- Default deny policy for incoming traffic
- Only open ports that are actively needed
- Use rate limiting on SSH and other sensitive services
- Log dropped packets for security monitoring
- Regularly audit your firewall rules
- Test rules in a safe environment before production deployment
- Use nftables for new installations β iptables is legacy
A well-configured firewall is essential for server security. Start with a default-deny policy, open only the ports you need, and regularly review your rules to maintain a strong security posture.
