Skip to content

Configure web server iptables

If you are deploying a Linux based web server for production use you will be thinking about security. The first thing I think about is configuring iptables to limit the ports that web traffic can send or receive requests through.

What are iptables?

Iptables is basically a firewall that enables you to have detailed control of the content you want entering and leaving your server. Having this feature turned off will allow access to all ports on your server. This means an attacker might be able to gain access through one of those open ports and get control of your web server.

Iptables includes support for IPv4 and IPv6 protocols and a huge range of complex configurations. This post is simply focused on opening traffic to port 80 (HTTP) and 443 (HTTPS) and IPv4. You should be able to use the same process to open ports such as 21 (FTP) or 25 (SMTP). You can also apply these methods to IPv6,

With most Linux distributions, it is not necessary to install iptables because usually it’s bundled with it. However, it often allows all traffic by default.

Creating rules

IMPORTANT: You can only manage iptables as root.

Listing iptables

iptables -L

If you haven’t configured any iptables you should get the following output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Adding iptables rules
Your Linux distribution will include an iptables config file.
You may wish to take a backup of the config file before you do anything:

cp -b /etc/sysconfig/iptables /tmp/iptables.bk

Open in a text editor of choice:

nano /etc/sysconfig/iptables

Or in case you wanted IPv6:

nano /etc/sysconfig/ip6tables

The file should contain something like this:

*filter
:INPUT ACCEPT [6:424]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:496]
 
...

Append the following lines to the final LOG and DROP lines for INPUT chain:

## allow everyone to access port 80 and 443 ##
 
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Restart the iptables service:

/etc/init.d/iptables restart

You’re all set

Conclusion

Having at least a basic level of understanding of iptables is essential for deploying a production ready web server. You have the ability to allow access through only the ports you specify. This post covered:

  • Listing the current iptables rules
  • Good practice in backing up last config file
  • Adding iptables rules to the config file

If you wish to open more ports then you can apply the same method. If you wish to understand iptables in greater detail you can visit the Linux Man site here http://linux.die.net/man/8/iptables

About 

10 years + experience in web development working with lots of different technology.

Published inLinux

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *