How to Set Up A Firewall Using Iptables on Ubuntu 16.04

Reading Time: 5 minutes

This guide will walk you through the steps for setting up a firewall using iptables in Ubuntu 16.04. We’ll show you some common commands for manipulating the firewall, and teach you how to create your own rules.

 

What are Iptables in Ubuntu?

The utility iptables is a Linux based firewall that comes pre-installed on many Linux distributions. It is a leading solution for software-based firewalls. It’s a critical tool for Linux system administrators to learn and understand. Any publicly facing server on the Internet should have some form of firewall enabled for security reasons. In a typical configuration, you would only open ports for the services that you wish to be accessible via the Internet. All other ports would remain closed and inaccessible via the Internet. For example, in a typical server, you may want to open ports for your web services, but you probably would not want to make your database accessible to the public!

 

Pre-flight

Working with iptables requires root privileges on your Linux box. The rest of this guide assumes you have logged in as root. Please exercise caution, as commands issued to iptables take effect immediately. You will be manipulating how your server is accessible to the outside world, so it’s possible to lock yourself out from your own server!

Note
If you’re a Liquid Web customer, check out our VPN + IPMI remote management solutions. These solutions can help you restore access to your server even if you’ve blocked out the outside world. We have a VPN configuration guide to get you started. Of course, our support staff is also standing by 24×7 in the event you get locked out.

 

How Do Iptables Work?

Iptables works by inspecting predefined firewall rules. Incoming server traffic is compared against these rules, and if iptables finds a match, it takes action. If iptables is unable to find a match, it will apply a default policy action. Typical usage is to set iptables to allow matched rules, and deny all others.

 

How Can I See Firewall Rules in Ubuntu?

Before making any changes to your firewall, it is best practice to view the existing rule set and understand what ports are already open or closed. To list all firewall rules, run the following command.

iptables -L

If this is a brand new Ubuntu 16.04 installation, you may see there are no rules defined! Here is an example “empty” output with no rules set:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you’re running Ubuntu 16.04 on a Liquid Web VPS, you’ll see we’ve already configured a basic firewall for you. There are usually three essential sections to look at in the iptables ruleset. When dealing with iptables rulesets, they are called “chains”, particularly “Chain INPUT”, “Chain FORWARD”, and “Chain OUTPUT”. The input chain handles traffic coming into your server while the output chain handles the traffic leaving your server. The forwarding chain handles server traffic that is not destined for local delivery. As you can surmise, the traffic is forwarded by our server  to its intended destination.

 

Common Firewall Configurations

The default action is listed in “policy”. If traffic doesn’t match any of the chain rules, iptables will perform this default policy action. You can see that with an empty iptables configuration, the firewall is accepting all connections and not blocking anything! This is not ideal, so let’s change this. Here is an example firewall configuration allowing some common ports, and denying all other traffic.

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -s 192.168.0.100 -j ACCEPT

iptables -A INPUT -s 192.168.0.200 -j DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

We will break down these rules one at a time.

iptables -A INPUT -i lo -j ACCEPT

This first command tells the INPUT chain to accept all traffic on your loopback interface. We specify the loopback interface with -i lo. The -j ACCEPT portion is telling iptables to take this action if traffic matches our rule.


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Next, we’ll allow connections that are already established or related. This can be especially helpful for traffic like SSH, where you may initiate an outbound connection and wish to accept incoming traffic of the connection you intentionally established.


iptables -A INPUT -p icmp -j ACCEPT

This command tells your server not to block ICMP (ping) packets. This can be helpful for network troubleshooting and monitoring purposes. Note that the -p icmp portion is telling iptables the protocol for this rule is ICMP.


How Do I Allow a Port in Ubuntu?

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

TCP port 22 is commonly used for SSH. This command allows TCP connections on port 22. Change this if you are running SSH on a different port. Notice since SSH uses TCP, we’ve specified the protocol using -p tcp in this rule.


iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

These two commands allow web traffic. Regular HTTP uses TCP port 80, and encrypted HTTPS traffic uses TCP port 443.


iptables -A INPUT -p udp --dport 1194 -j ACCEPT

This is a less commonly used port, but here is an example of how to open port 1194 utilizing the UDP protocol instead of TCP. Note that in this example we’ve specified UDP by using -p udp.


How Do I Allow an IP Address in Ubuntu?

iptables -A INPUT -s 192.168.0.100 -j ACCEPT

You can configure iptables to always accept connections from an IP address, regardless of what port the connections arrive on. This is commonly referred to as “whitelisting”, and can be helpful in certain circumstances. We’re whitelisting 192.168.0.100 in this example. Typically you would want to be very restrictive with this action and only allow trusted sources.


How Do I Block an IP Address in Ubuntu?

iptables -A INPUT -s 192.168.0.200 -j DROP

You can also use iptables to block all connections from an IP address or IP range, regardless of what port they arrive on. This can be helpful if you need to block specific known malicious IPs. We’re using 192.168.0.200 as our IP to block in this example.


How Do I Block All Other Ports?

iptables -P INPUT DROP

Next, we tell iptables to block all other inputs. We’re only allowing a few specific ports in our example, but if you had other ports needed, be sure to insert them before issuing the DROP command.


How Do I Forward Traffic in Ubuntu?

iptables -P FORWARD DROP

Likewise, we’re going to drop forwarded packets. Iptables is very powerful, and you can use it to configure your server as a network router. Our example server isn’t acting as a router, so we won’t be using the FORWARD chain.


How Do I Allow All Outbound Traffic?

iptables -P OUTPUT ACCEPT

Finally, we want to allow all outgoing traffic originating from our server. We’re mostly worried about outside traffic hitting our server, and not blocking our own box from accessing the outside world.


How Do I Permanently Save IP Rules?

To make your firewall rules persist after a reboot, we need to save them. The following command will save the current ruleset:

/sbin/iptables-save


How Do I Reset My Iptable?

To wipe out all existing firewall rules and return to a blank slate, you can issue the following command. Remember that an empty iptables configuration allows all traffic to your server, so you typically would not want to leave your server unprotected in this state for very long. Nevertheless, this can be very helpful when configuring new firewall rulesets and you need to revert to a blank slate.

iptables -F

 

We’ve covered a lot of ground in this article! Configuring iptables can seem like a daunting process when first looking at an extensive firewall ruleset, but if you break down the rules one at a time, it becomes much easier to understand the process. When used correctly, iptables is an indispensable tool for hardening your server’s security. Liquid Web customers enjoy our highly trained support staff, standing by 24×7, if you have questions on iptables configurations. Have fun configuring your firewall!

How To Set Up Multiple PHP Versions in Webmin

Reading Time: 4 minutes

What is Webmin?

Webmin is a browser-based graphical interface to help you administrate your Linux server.  Much like cPanel or Plesk, Webmin allows you to set up and manage accounts, Apache, DNS zones, users and configurations.  As these configurations can get somewhat complicated Webmin works to simplify this process. The result is fewer issues during server and domain setup.  Which results in a stable server and a pleasant administration experience. Unlike Plesk or cPanel, Webmin is completely free and open to the public. Unfortunately, here at Liquid Web, we do not offer managed support for Webmin, but we are always willing to assist as much as possible when issues arise.   You can download Webmin from their site. Also, you can find some excellent documentation on this interface.

 

Installing Webmin

Before beginning “if you have not already” you will need to install Webmin on your server.  For this article, we will mainly be working with Webmin installed on a Ubuntu server. However, it is very similar to CentOS therefore we have included instructions for both operating systems below.

  • First, you will need to access your server SSH. If you are not sure how to SSH into your server, please visit our link on the subject.  
  • Once you are logged into your server SSH, please run the following commands in order or copy and paste the entire syntax.
Debian/Ubuntu

sudo sh -c 'echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list'wget -qO - http://www.webmin.com/jcameron-key.asc | sudo apt-key add -
sudo apt-get updatesudo apt-get install webmin

CentOS/RedHat/Fedora

(echo "[Webmin] name=Webmin Distribution Neutral
baseurl=http://download.webmin.com/download/yum
enabled=1
gpgcheck=1
gpgkey=http://www.webmin.com/jcameron-key.asc" >/etc/yum.repos.d/webmin.repo;
yum -y install webmin)

 

Accessing Webmin

Webmin is a web-based application.  So once Webmin is installed, you can access Webmin by using a browser of your choice.   Be sure to make sure port 10000 is open on your server as Webmin utilizes this port to function.  We have included steps below to ensure the correct port is open for iptables and firewalld.

IPTABLES

iptables-save > /tmp/tabsav
vi /tmp/tabsav
iptables-restore < /tmp/tabsav
You should be able to use the command above to alter you iptables to look something like what we have included below.
# Generated by iptables-save v1.4.7 on Thu Jan 3 00:02:49 2019
*filter
:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3044:1198306] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jan 3 00:02:49 2019

FirewallD

firewall-cmd --zone=public --add-port=10000/tcp --permanent
firewall-cmd --reload

Once you have made sure port 10000 is open, you should be able to access the Webmin interface by entering in your servers IP address followed by the port number “10000”

Example:   https://192.168.1.100:10000             <—— 192.168.1.100 should be replaced with your server IP.

Installing PHP Versions in Webmin

There is a lot of situations where we may need to use multiple PHP versions.  For example, you may have multiple domains or applications on your server that require an older version of PHP while at the same time you may have newer domains that are configured for newer versions of PHP.   For this article, we will be installing PHP7 and PHP5.6 on Debian.

Step 1: First, you will want to SSH into your server and run the following command.
apt-get install php7.0-cli php7.0-fpmYou can check the installation after it has completed by running php –v in your terminal.

Step 2: Now here is where things tend to get tricky.  By default, Debian only offers a single PHP version in the official repository. So, we will have to add an additional repository for Debian. While adding this repository, it is good practice to enable HTTPS for APT and register the APT key. You can accomplish this by executing the commands we have included below.

apt-get install apt-transport-https
curl https://packages.sury.org/php/apt.gpg | apt-key add -
echo 'deb https://packages.sury.org/php/ stretch main' > /etc/apt/sources.list.d/deb.sury.org.list
apt-get update

Once the repository is added, we can go ahead and add our second PHP version to the server.

apt-get install php5.6-cli php5.6-fpmWe can now check both PHP versions on the server by running these commands.

php7.0 -V

Output:


php5.6 -V

Output:

Now that we have confirmed both PHP versions are installed you can access their configuration files in the following directories.

  • /etc/php/5.6/cli/php.ini
  • /etc/php/7.0./cli/php.ini

Step 3: To make things easier, later on, we will want to add the location of the configuration files to Webmin.  This can be done from within the Webmin interface.

  1. Log into Webmin
  2. Navigate to Others >> PHP Configuration
  3. Add the PHP configuration file location
  4. Click Save

You can use this tool to add and edit directives for different PHP versions. For example, you’ll be able to edit PHP’s memory limit, timeout length, extensions and more.  This simply helps consolidate configurations within one interface. From here we can just use a .htaccess file to specify what version of PHP a site should use.

Step 4: If you do not have this file already within your document root you can add this file by navigating to /var/www/exampledomain/  and running the following command to indicate which PHP version you are going to use.

echo "AddHandler application/x-httpd-php56 .php" >  .htaccess  | chown exampleuser. .htaccess

echo "AddHandler application/x-httpd-php70.php" >  .htaccess  | chown exampleuser. .htaccess

Step 5: Once you have completed this, you can test to see if your site is running on the desired PHP version.  You can accomplish this by creating a PHP information page. by making a file in your document root, usually in the path of /var/www/html/

You will want to insert the code below and save the file.

<? phpinfo(); ?>   After you have created this file, you can view the page by visiting your domain followed by the name of the file you created.  For example, www.example.com/phpinfo.php.

Congratulations you can now use Webmin to accomplish your daily admin tasks!  Take a look at our Cloud VPS servers for 24/7 support and lightening speed servers!

An Introduction to Firewalld

Reading Time: 5 minutes

In some ways, firewalld on systemd systems is easier to manage and configure than iptables. There are, for the most part, no long series of chains, jumps, accepts and denies that you need to memorize in order to get firewalld up and running in a basic configuration. The rules are simple and straightforward, but there is no reason you cannot still have all the power that iptables afforded. Continue reading “An Introduction to Firewalld”

Scenario: Set Up a Default Configuration Webserver and Limit Access

Reading Time: 1 minute
Pre-Flight Check
  • These instructions are intended to address specifically the following scenario: Set Up a Default Configuration Webserver and Limit Access
  • I’ll be working from a Liquid Web Self Managed CentOS 6.5 server, and I’ll be logged in as root.

Continue reading “Scenario: Set Up a Default Configuration Webserver and Limit Access”

How To Unblock an IP Address in APF

Reading Time: 1 minute

Advanced Policy Firewall, or APF, is a software firewall commonly installed on Liquid Web servers. It is an interface to iptables, which is standard software for managing network ports on Linux. Interacting with iptables can be complex, but APF greatly simplifies the process. APF is only accessible via ssh, and there is no way to make changes in APF through WHM or cPanel.

Pre-Flight Check
  • These instructions are intended specifically for unblocking an IP Address in APF.
  • I’ll be working from a Liquid Web Core Managed CentOS 6.5 server, and I’ll be logged in as root.
  • For further details, see our in-depth look at the APF firewall.
Check APF for Your IP Address

Let’s say that you want to check whether or not a specific IP address, maybe 8.8.8.8 , is blocked by APF. That’s easy!

grep 8.8.8.8 /etc/apf/*

You may receive a result similar to:

/etc/apf/deny_hosts.rules:# added 8.8.8.8 on 04/25/14 13:42:01 with comment: {bfd.courier}
/etc/apf/deny_hosts.rules:8.8.8.8

The above means that BFD detected a brute force attack from the IP 8.8.8.8 on port 25, and automatically added a rule to APF to prevent future connections specifically from that IP address.

Continue reading “How To Unblock an IP Address in APF”