Linux -IP and Firewall

IPTABLES MODIFICATION FIREWALL

sudo iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -i lo -j ACCEPT

*************replace with local ip if u want restrict others ********
iptables -A INPUT -s 111.111.111.111 -p tcp –dport 22 -j ACCEPT

sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 10000 -j ACCEPT

Now test output of iptables:
sudo iptables -nvL

via SSH and list the rules defined in a specific chain using the following syntax:

sudo iptables -L CHAIN

Replace CHAIN with one of the built-in chains to see the defined rules. If no chain is selected, all chains will be listed in the output.

sudo iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

The firewall rules specify what to do with a certain packet if it matches certain criteria and in case the packet doesn’t match the criteria, the next firewall rule defined in the chain will be examined. This is a very important thing to know when defining the firewall rules because you can easily lock yourself out of your server if you define the rule which accepts packets from your local IP address after the blocking rule.

The targets you can use for the firewall rules are ACCEPT, DROP, QUEUE and RETURN. ACCEPT will let the packet through, DROP will drop the packet, QUEUE will pass the packet to the userspace while RETURN will stop the packet traversing of the current chain and will resume at the next rule in the previous chain. The default chain policy will define what to do with a packet if it doesn’t match certain firewall rule. As you can see in the output of the first command, the default policy for all built-in chains is set to ACCEPT. ACCEPT will let the packet go through so basically there is no protection.

Before adding any specific rules, add the following one:

sudo iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

This will prevent the connections that are already established to be dropped and your current SSH session will remain active.

Next, add rules to allow traffic on your loopback interface:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

Next, allow access to your server via SSH for your local IP address so only you can access the server:

sudo iptables -A INPUT -s 111.111.111.111 -p tcp –dport 22 -j ACCEPT

Where 111.111.111.111 is your local IP address and 22 is the listening port of your SSH daemon. In case your local IP address changes dynamically it is best to omit the -s 111.111.111.111 part and use a different method to protect the SSH service from unwanted traffic.

sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT

Next, allow access to your important services like HTTP/HTTPS server:

sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT

Now, list the current rules and check if everything is OK. For detailed output you can use the following command:

sudo iptables -nvL

If you have other services that you want to allow access to it is best to do that now. Once you are done, you can set the default policy for the INPUT built-in chain to DROP.

sudo iptables -P INPUT -j DROP

//** I Didnot run this command

sudo apt-get install iptables-persistent

sudo netfilter-persistent save
sudo netfilter-persistent reload

sudo apt-get install apache2
sudo apt-get install apache2-utils