Basics

In Linux, there are a few basic concepts that we need to understand before we start.

  • Firewall rules are, in general, applied as they are read, from the top down.
  • The best firewall DENIES ALL and only ALLOWS what is needed.
  • OUTBOUND rules are generally more relaxed than INBOUND.
  • A Policy is what gets applied when there is no rule (NB!!!)
  • Local Loop is an internal interface which applications can use to connect to each other via tcp/ip. It is also known as “localhost” or “127.0.0.1”.

On the last point, remember that if your default POLICY is to DROP or DENY all traffic, you WILL LOSE CONNECTIVITY if you clear all rules. The only way to restore connectivity is usually to reboot the server. There is a way past this, but it needs a bit of work.

What will we achieve in this basic tutorial?

We will set up a basic firewall which allows ssh and blocks all else except ping, traceroute and whatever services you need to be accessed. In our sample ruleset, we will allow http and https (ports 80 and 443). To find the port used for your application, use google to search for “Which port does … use”. Here is also a short list of commonly used ports:

Application
Port(s)
Protocol
FTP 10,20,21 tcp
SSH 22 tcp
SMTP 25,493,587 tcp
DNS 53 tcp/udp
HTTP(S) 80,443 tcp
POP3 110 tcp
IMAP 143 tcp

Our rules, in English, are:

  • Allow incoming ssh, ping, traceroute and http as well as https connections.
  • Allow any traffic that was requested from an existing session (ie ssh reply).
  • Deny all else incoming.
  • Allow all outbound traffic.
  • Allow all traffic (In, Out and Forward) on our Local Loop (lo).
  • Deny all forward (we are not a router or firewall).

Always remember the direction of the data.

  • From Internet to your server = INPUT.
  • From your server to the internet = OUTPUT
  • Any data passing through your server to an internal network = FORWARD (your server is the gateway and firewall). This last case will not be used in this article as we are keeping to basics.

Iptables

This is the basic building block of all modern Linux firewalls. All the firewall below create iptables rules and are merely frontends that attempt to simplify iptables.

Ufw

 

Firewalld

 

Fail2ban

 

CSF & LFD

 

we're happy to help!

Talk to a hosting specialist today and discover which options will work best for you.


Call us on +27 21 554 3096
Copyright © 2020 HOSTAFRICA - All rights reserved.

By visiting this website, you agree to its terms of use, which can be accessed by clicking on the following link: Website Terms of use
We Accept: EFT, Debit Cards, Credit Cards and Mobile Payments
Accepted payment methods