Simple stateful firewall
In computing, a stateful firewall is a network firewall that tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate network packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall. In contrast a stateless firewall does not take context into account when determining whether to allow or block packets1.
These rules are enough for a simple web server.
Drop everything, only accept incoming traffic to ports that we want. On LAN, it is suggested to gracefully
REJECT packets instead of
On a typical server, we dont have any packets to forward, dont need it.
Allow any output.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Allow related and established traffic. This mean that we initated the connection and the packet is the response.
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
Allow traffic on the loopback interface. This is essential for a proper work.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Allow new connections to my server’s SSH, which is operates on TCP port 22 by default.
Iptables is not persistent by default, rebooting your server will flush all iptables rules.
There is a package, called
iptables-persistent to make it persistent.
This will want to save your existing rules.
To save again, use this command: