Firewall Basics

Keep in mind that we will NOT be responsible for any damages caused by the following the guides and information given in ANY of our articles.
The information provided should always be assumed as possibly flawed, and thus one should always think and adapt the information to their own requirements before implementing anything into their production environment.

Full disclaimer

This topic will contain some information about firewalls and how to set them up.
The trick with firewalls is to block everything by default, and only allow the traffic that you wish to handle.

On this page we will provide samples based on Linux's IPTables, as this is what's commonly used for Linux webservers.

To follow this example you are required to login as user root.
If you don't have the password of the root user you can use sudo instead.


  1. Create a new empty file:
    touch /etc/iptables.up.rules
  2. Edit your interface configuration file:
    nano /etc/network/interfaces
  3. Append your main interface with the following rule:
            post-up iptables-restore < /etc/iptables.up.rules


  1. Edit your firewall configuration file:
    nano /etc/iptables.up.rules
  2. Set the file's contents to:
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    # Accept Established
    -A INPUT -m state --state ESTABLISHED -j ACCEPT
    # Accept Related
    -A INPUT -m state --state RELATED -j ACCEPT
    # Accept DNS return
    -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
    # Accept ICMP 0
    -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    # Accept ICMP 3
    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    # Accept ICMP 4
    -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
    # Accept ICMP 8
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    # Accept ICMP 11
    -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    # Accept ICMP 12
    -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
    # Accept FTP(S)
    -A INPUT -p tcp -m tcp --dport 20:21 -j REJECT
    # Accept SSH To Host
    -A INPUT -p tcp -m tcp -d <Host main IP address> --dport 22 -j ACCEPT
    # Accept IDENT
    -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
    # Drop sensitive ports
    -A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
    # Drop sensitive ports
    -A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
    # Drop sensitive ports
    -A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
    :OUTPUT ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :INPUT ACCEPT [0:0]

There are plenty of tutorials out there.
Here a few examples:

For this configuration file you need to truncate both sudo and iptables from the start of the command.
To apply these new rules you need to perform one of the following tasks:

  • Reload your network stack:
    iptables -F; service networking restart
  • Restore the config directly:
    iptables -F; iptables-restore < /etc/iptables.up.rules