Tutorial: Creating a firewall using Iptables under CentOS


On the topic of securing a VPS server we will introduce you a tutorial to create a firewall using Iptables. As a tutorial operating system I chose CentOS.

What is a firewall?

In computer networks, a firewall is a device or set of devices configured to filter, encrypt or mediate traffic between different security domains based on predefined rules.

Supposing that you need to configure the port 80 required for a web server and SSH port, for security reasons, it is advisable not to use port 22 for SSH but any other port, for example, we will use 22222 for the tutorial. It is also recommended that the password for the root user be as complex as possible, consisting of symbols and alphanumeric characters.

Changing the port of the SSH service was done by editing the sshd_config file in the /etc/ssh/folder. Open the sshd_config file by entering the command nano sshd_config, uncomment the #Port line 22, and then replace it with the 22222 port. Save the changes made to the file and then restart the ssh server with the /etc/init.d/sshd restart command.

Log in to the VPS server using the root user and its password, then initiate the commands in the following order to create a firewall with some basic rules.

Step 1: iptables -P INPUT ACCEPT to temporarily allow any remote connection to VPS

Step 2: iptables -F to delete any other existing Iptables rules

Step 3: iptables -A INPUT -m state –state ESTABLISHED, RELATED -j ACCEPT is the most important rule for Iptables because it checks the type of packages.

Step 4: iptables -A INPUT -p tcp -dport 22222 -j ACCEPT to open port 22222 required for SSH connection to the VPS server

Step 5: iptables -A INPUT -p tcp -dport 80 -j ACCEPT to open the port 80 required for the Apache service

Step 6: iptables -P INPUT DROP to filter out connections to the VPS server whose rules are not set in Iptables

Step 7: iptables -P FORWARD DROP if you do not use the VPS as a router to do port forwarding

Step 8: iptables -P OUTPUT ACCEPT to allow traffic that starts from the VPS server to the Internet

Step 9: iptables -L -v to check the rules created in the firewall

After viewing the created Iptables rules, it’s time to save the settings. These are saved by the command iptables /sbin/service iptables save inside of /etc/sysconfig/iptables. The rules are read and applied every time the VPS server is restarted.

Recent Posts