Basic Firewall Setup on Dedicated Linux Server

In computer terms, a firewall will stop any network activity on one network from being passed on to another network. In most systems the Linux kernel is compiled with IP forwarding set to yes. What this means is that if the computer has more than one network connected to it then network information will be passed directly from one network to the other as if it was physically connected.

Forgetting to secure and configure a dedicated server firewall is a common mistake and a huge security flaw. Going into the firewall’s configuration allows you to remove unnecessary software that’s connected to the internet. This makes your server and its ports vulnerable to intrusion.

In this article I will show how to setup basic firewall on dedicated linux server.

Installing Firewall on Linux

Firewalld package is installed by default on nearly every Linux distribution. If you noticed it is not installed, you can install it using the following YUM command.

On Ubuntu/Debian:

$ sudo apt-get install iptables

On CentOS 7/RHEL 7:

# yum install iptables-services

Decide Which Firewall Ports to Block

The first step in firewall installation is deciding which ports to leave open on your dedicated server. This will vary based on what you are using the dedicated host for. For example, if you are running a web server, you would likely want the following ports open:

• Web: 80 and 443
• SSH: Typically run on port 22
• Email: 110 (POP3), 143 (IMAP), 993 (IMAP SSL), 995 (POP3 SSL).

Change your SSH port to a non-default port by reading our article on changing your servers SSH port. Want your users to only use email over SSL? Block standard POP3 and IMAP ports in your firewall to force SSL use.

Flush Default Firewall Rules

Run the below command to flush to default firewall rules.

# iptables -F

Block Common Server Attack Routes

We’ll run some standard commands here to block common attacks

Block syn-flood packets:

# iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

Block XMAS Packets:

# iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

Block null packets:

# iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

Open Required Ports

Run the below command to open up the ports you need. Here are some examples for you to work off of:

Allow SSH Access:

# iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT

Open up LOCALHOST access:

# iptables -A INPUT -i lo -j ACCEPT

Allow web traffic:

# iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT

# iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT

Test Firewall Configuration

Run the following command to save the configuration and restart your firewall:

# iptables -L -n

# iptables-save | sudo tee /etc/sysconfig/iptables

# service iptables restart