Discover our new Ryzen 9 server here
Site Logo

Navigate Server4You
Dedicated ServerVirtual ServerFeaturesContact

iptables Configuration & Security

This guide explains how to implement a secure default-deny firewall strategy using iptables on your Linux server — all traffic is blocked unless explicitly allowed.

Order is critical! Applying the final DROP policy before allowing SSH access will immediately lock you out of your server. Always test rules carefully and keep a console connection available via the PowerPanel as a fallback.

1. Base Rules in the Correct Order

Configure all necessary access rules before applying the global block policy.

Step 1: Flush Existing Rules

Start with a clean slate by removing all existing iptables rules:

Flush all rules
iptables -F

Step 2: Allow Loopback Traffic

Allow all internal traffic on the loopback interface — essential for local services:

Allow loopback
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

Step 3: Allow Established Connections

Allow packets belonging to already-established connections — required so responses to outgoing requests (e.g. DNS, updates) can reach the server:

Stateful inspection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Step 4: Allow SSH Access

Allow SSH before setting the DROP policy — otherwise you will lock yourself out immediately:

Allow SSH (port 22)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Step 5: Set Default Policy to DROP

Only now — after all allow rules are in place — set the global block policy. Any packet not matched by a previous rule will be dropped:

Set default DROP policy
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP

2. Opening Ports for Services

Add rules for all services that need to be reachable from outside. Using a custom chain keeps the INPUT chain clean and maintainable:

Custom Chain for Open Ports

Create a dedicated chain for open ports and jump to it from INPUT:

Create custom chain
iptables -N OPEN_PORTS iptables -A INPUT -j OPEN_PORTS

HTTP & HTTPS (Web Server)

Allow HTTP/HTTPS
iptables -A OPEN_PORTS -p tcp --dport 80 -j ACCEPT iptables -A OPEN_PORTS -p tcp --dport 443 -j ACCEPT

Restrict Database Access to Specific IPs

Critical ports like database ports should only be opened for known, trusted IP addresses:

Restrict MySQL to one IP
iptables -A OPEN_PORTS -p tcp -s 192.0.2.5 --dport 3306 -j ACCEPT

Allow ICMP (Ping)

Optional — allows inbound and outbound ping requests for reachability checks:

Allow ping
iptables -A INPUT -p icmp -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT

3. Protection Mechanisms & Logging

Add basic flood protection and logging for dropped packets:

SYN Flood Protection (Rate Limit)

Limits the rate of new connections per source IP to mitigate simple flood attacks:

Rate limit port 80
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 50 -j DROP iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set -j ACCEPT

Drop Invalid Packets (Anti-Scan)

Blocks packets typically used for port scans and specific attack vectors:

Block anomalous packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -f -j DROP

Log Dropped Packets

Insert these rules directly before the final DROP policy — with a rate limit to prevent log flooding:

Set up logging
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTABLES LIMITED: " --log-level 7 iptables -A INPUT -j LOG --log-prefix "IPTABLES DROPPED FINAL: " --log-level 7

4. Save & Verify Rules

iptables rules are temporary and will be lost after a reboot. They must be saved persistently.

Verify Current Rules

List all rules
iptables -L -n -v

Save Persistently — Debian / Ubuntu

Install iptables-persistent — it automatically loads rules on every reboot:

Install & save persistent rules
apt update && apt install iptables-persistent netfilter-persistent save

Save Persistently — CentOS / RHEL

Save rules (CentOS)
service iptables save

Alternative — nftables: On modern distributions (Debian 10+, Ubuntu 20.04+, RHEL 8+), iptables is being replaced by nftables. For new server deployments, we recommend nftables — it is faster, more readable, and actively maintained. View the nftables guide →

Further Documentation

For a complete reference of all iptables options, refer to the official documentation.

iptables Man Page

Debian iptables Wiki