iptables is Linux's firewall. Install it the regular way:
sudo apt-get install iptables
Start adding rules (help here and here). Like this:
-
Allow connections that are, well, ok:
sudo iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
-
Open a port that you want to be accessible from the outside. E.g. 80 for http, for example, or SSH (default 22).
sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
Add a line for each port you wish to open, change the port number or tcp/udp where needed.
-
Optionally, allow ping:
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-
Block inbound traffic that is not allowed by any of your rules:
sudo iptables -P INPUT DROP
When done adding rules, check the list in iptables:
sudo iptables -L
Save the rules to a test file:
sudo iptables-save > /etc/iptables.test.conf
Note how known ports such as 80 are shown as http, 443 as https, etc. Use iptables -L -n
to get a 'normal' view without translated port numbers.
Happy? Save it for real (this and the previous file names are arbitrary, you can pick a different path):
iptables-save > /etc/iptables.up.conf
For the firewall to be useful, it should always run on boot. To start iptables on boot, create this file:
nano /etc/network/if-pre-up.d/iptables
And insert the following:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.conf
Make it executable:
chmod +x /etc/network/if-pre-up.d/iptables
And you're done!