August 3, 2012

Beginner

How To Set Up a Firewall Using IP Tables on Ubuntu 12.04

About IP Tables


In order to make a server more secure after the initial set up, Ubuntu ships with Iptables which is the distribution’s default firewall. At the outset, although the Ubuntu firewall is configured, it is set up to allow all incoming and outgoing traffic on a virtual private server. To enable some stronger protection on the server, we can add some basic rules to the IP Table.

The IP table rules come from a series of options that can be combined to create each specific process. Each packet that crossing the firewall is checked by each rule in order. As soon as it matches a rule, the packet follows the associated action, otherwise it proceeds down the line.

IP Table Commands


Although this tutorial will go over a limited amount of commands that would provide a server with some basic security, there are a variety of nuanced and specific cases that can be developed for the IP Table. Below are some of the most useful commands for developing a firewall for your VPS, but keep in mind that this is a short list and there are a variety of other options.
-A: (Append), adds a rule to the IP Tables
-L:  (List), shows the current rules
-m conntrack: allows rules to be based on the current connection state, elaborated in the the --cstate command.
--cstate: explains the states that connections can be in, there are 4: New, Related, Established, and Invalid
-p: (protocol), refers to the the protocol of the rule or of the packet to check.The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword "all".
--dport: (port), refers to the the port through which the machine connects
-j: (jump), this command refers to the action that needs to be taken if something matches a  rule perfectly. It translates to one of four possibilities:
	-ACCEPT: the packet is accepted, and no further rules are processed
	-REJECT: the packet is rejected, and the 	sender is notified, and no further rules are processed
	-DROP: the packet is rejected, but the 	sender is not notified, and no further rules are processed
	-LOG: the packet is accepted but logged, and the following rules are processed 
-I: (Insert), adds a rule between two previous ones
-I INPUT 3: inserts a rule into the IP Table to make it the third in the list
-v: (verbose), offers more details about a rule

Creating the IP Table:


If you type in the following, you can see the current rules in the virtual server's IP Table:
sudo iptables -L

They should look like this:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you have another set of rules in place or want to start fresh, you can always set the rules back to the default by flushing and deleting all of them:
sudo iptables -F

Additionally, if you want speed up your work with IP Table, you can include -n in the command. This option disables DNS lookups and prevents the command from trying to find the reverse of each IP in the ruleset. You could use this to list rules, as an example:
iptables -L -n

A Basic Firewall


As it stands the current rules allow all connections, both incoming and outgoing. There are no security measures in place whatsoever. As we build up the table, keep in mind that as soon as a packet is ACCEPTED, REJECTED, or DROPPED, no further rules are processed. Therefore the rules that come first take priority over later ones.

While creating the rules, we have to be sure to prevent ourselves from accidentally blocking SSH (the method through which we connected to the server).

To start off, let’s be sure to allow all current connections, all of the connections at the time of making the rule, will stay online:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

We can go ahead and break this down:
  1. -A tells the IP table to append a rule to the table.

  2. INPUT designates this rule as part of the Input chain.

  3. m conntrack followed by the --cstate ESTABLISHED,RELATED guarantees that the result of this rule will only apply to current connections and those related to them are allowed

  4. -j ACCEPT tells the packet to JUMP to accept and the connections are still in place.

After we are assured that all the current connections to the virtual private server can stay up uninterrupted, we can proceed to start blocking off other insecure connections.

Let’s assume that we want to block all incoming traffic, except for those coming in on 2 common ports: 22 for SSH and 80 for web traffic. We proceed by allowing all traffic on the designated ports with the following commands:
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

In both of these commands, the -p option stands for the protocol with which the connection is being made, in this case tcp, while the --dport specifies the port through which the packet is being transmitted.

After we have guaranteed that the desirable traffic will make it through the firewall, we can finish up by blocking all remaing traffic from accessing our virtual server. Because this is the last rule in the list, all traffic that matches any of the previous rules in the IP Table will not be affected, and will be treated as we set up previously.

Let’s make a rule to block all of the remaining traffic:
sudo iptables -A INPUT -j DROP

With that, we can see what our updated rules look like:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
DROP       all  --  anywhere             anywhere

We are almost finished. However, we are missing one more rule. We need to provide our VPS with loopback access. If we were to add the rule now without further qualifiers, it would go to the end of the list and, since it would follow the rule to block all traffic, would never be put into effect.

In order to counter this issue, we need to make this rule first in the list, using the INPUT option :
sudo iptables -I INPUT 1 -i lo -j ACCEPT

  1. -I INPUT 1 places this rule at the beginning of the table

  2. lo refers to the loopback interface

  3. -j ACCEPT then guarantees that the loopback traffic will be accepted
Now we have finished creating a basic firewall. Your rules should look like this (we can see the details of the iptable by typing -v):
sudo iptables -L -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
 1289 93442 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    2   212 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
   47  2422 DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 157 packets, 25300 bytes)
 pkts bytes target     prot opt in     out     source               destination       

However, as soon as the virtual server reboots, the IP tables will be wiped. The next step will go over saving and restoring the IP tables.

Saving IP Tables


Although the IP tables are effective, they will automatically be deleted if the server reboots. To make sure that they remain in effect, we can use a package called IP-Tables persistent.

We can install it using apt-get:
sudo apt-get install iptables-persistent

During the installation, you will be asked if you want to save the iptable rules to both the IPv4 rules and the IPv6 rules. Say yes to both.

Your rules will then be saved in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

Once the installation is complete, start iptables-persistent running:
sudo service iptables-persistent start

After any server reboot, you will see that the rules remain in place.



By Etel Sverdlov

Share this Tutorial

Vote on Hacker News

Try this tutorial on an SSD cloud server.

Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more

Create an account or login:

69 Comments

Write Tutorial
  • Gravatar mhamrich over 1 year

    Does does the APF firewall package work well under KVM and your CentOS or Ubuntu images? I've had issue on bare metal Unbuntu with some kernenls in that the netfilter portion made the apf fucntion very slow. www.rfxn.com/projects/ They are easy to install and offer good security

  • Gravatar Moisey over 1 year

    A lot of that would depend on the exact firewall configuration you have running and what you are configuring it to do. In most cases there should be really no impact to performance, but if you run a specific config and notice performance degradation please let us know, we'd love to look deeper into the rules and see how they are set up and perhaps be able to offer some guidance on that. Thanks.

  • Gravatar fariazz over 1 year

    Entering the above rules locks me out of my VPS. I installed fail2ban as per the tutorial provided in this site. This is my iptables -L before trying the commands (luckily I have a snapshot to restore from): Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere

  • Gravatar fariazz over 1 year

    all I want is to allow ssh, port 80 and loopback, and disable the rest.

  • Gravatar Moisey over 1 year

    Fail2ban is used to prevent repeated attempts to gain access to your server via SSH from outside parties. As for the rules you want to create are there particular IPs or subnets that you would like to filter for SSH to allow access but block the rest? Also for loopback you do not need any firewall rules as that is only available on your local server and not visible from the public internet.

  • Gravatar fariazz over 1 year

    Hi Raiyu thanks for getting back to me. The only ports I want to allow access from are 80 and my ssh custom port. Any idea why the above gets me blocked (ssh stops working)

  • Gravatar Moisey over 1 year

    I imagine that you would like to leave port 80 open to the public internet, while restricting access on port 22 to only your specific IP or a set of whitelisted IPs, so the rules would be different. Let me know if you would like to also restrict IP access to port 80 as well to a white list and we can put together some rules to restrict access to SSH to only whitelisted IPs.

  • Gravatar Joseph B over 1 year

    With the package "iptables-persistent" installed, can I make changes afterward and expect them to be sticky on a restart? or is there a command to apply my changes before a restart?

  • Gravatar Joseph B over 1 year

    nvm, the command is "sudo /etc/init.d/iptables-persistent save" which saves the current ruleset to /etc/iptables/rules.v4 and /etc/iptables/rules.v6

  • Gravatar chrismcan over 1 year

    Thanks again and one question: What happens with the original root user? Since I just created foo to ssh in do you just always use foo and I guess what I'm asking is do you get rid of "root" since you now have "foo"?

  • Gravatar chrismcan over 1 year

    This article really helped. I have had such issues with this. Sharing is caring and for that I am grateful! Happy Holidays!

  • Gravatar Moisey over 1 year

    You can not and should not get rid of the root user. The root user is the superuser for the system who has access to all files and can make any changes and has ultimate authority. For this reason you do not want to login as root to perform normal tasks or to run applications because if there is a security concern when the application breaks it will escape with the permissions of the user who initiated it which would be root. This is why when you start system daemons such as Apache and you do it as root you will see that the root process just manages child processes which are all running as a different user. This is a security precaution.

  • Gravatar ajmorris2002 over 1 year

    If I wanted to add ftp/sftp to the firewall, how would I go about doing that?

  • Gravatar Moisey over 1 year

    Great question we'll get an article written about securing FTP fo SFTP only.

  • Gravatar ajmorris2002 over 1 year

    @raiyu Thanks! I'm to the point where the thing that messes me up the most is figuring out a firewall. I'd love to see it somehow work with the firewall article so I have a better understanding of how all that works. Right now I'm thinking I need to completely remove the firewall and start over, but think I'm going to need to use google to find that all out. :)

  • Gravatar Moisey over 1 year

    I think thats a good approach, with how firewalls are layered it just takes practice getting it right and while its a frustrating process when it finally works there's that eureka moment where it actually feels like you learned something and now you finally get it. I've added it to our article queue to get written up and we always tweet out all of the new articles that are added to our community section so if you follow us on twitter you'll see it pop up there.

  • Gravatar Steve Wilson about 1 year

    If I changed my default SSH port to something different, should I change the command: "sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT" to include the port I chose?

  • Gravatar Glauco Lins about 1 year

    In CentOS to make the changes permanent, use the comand below: # sudo service iptables save

  • Gravatar adf about 1 year

    firehol (apt-get install firehol) is a really easy to use wrapper for iptables

  • Gravatar frozen.dinosaur about 1 year

    @swilso.86 Yes you definitely should, I didn't and was locked out of my server for a bit haha

  • Gravatar tutysara about 1 year

    Hi, Following the procedure blocks the DNS access. I couldn't to do apt-get after following the instructions for adding IPTable rules. I did a sudo iptables -F to resolve the issues. BTW - "sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" also gave an error "iptables: No chain/target/match by that name." not sure whether this is the reason for my DNS getting blocked as well.

  • Gravatar stpdave 11 months

    Hi, Followed you instructions, but apt-get does not work because it cannot get a connection. I also cannot connect via a terminal from my local computer. I used these commands initially. sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -j DROP sudo iptables -I INPUT 1 -i lo -j ACCEPT sudo apt-get install iptables-persistent then after reading this http://askubuntu.com/questions/67441/which-input-rules-do-i-need-to-add-to-iptables-so-apt-apt-get-aptitude-can-wo Added these -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -P INPUT DROP Plus an input rules for a few other ports.Still cannot use apt-get because it cannot connect. Since I cannot use my terminal and am using the very limited console in the droplet management page I cannot cut and paste iptables -L output.... Ideas?

  • Gravatar Kamal Nasser 11 months

    @stpdave: Does apt-get work without these iptables rules?

  • Gravatar Pablo of vDevices.com 10 months

    Greetings: After following the instructions in this tutorial, my droplet is not able to resolve DNS. When I run "nslookup google.com" the system responds with: ;; connection timed out; no servers could be reached I'm not able to "sudo apt-get update" anymore, either. I'm running Ubuntu 12.04 & I also installed fail2ban as per the tutorial provided in this site.

  • Gravatar bulat 10 months

    Hey Pablo, You should allow incoming UDP packets from DNS servers in order to resolve hostnames: iptables -I INPUT -p udp -m udp --sport 53 -j ACCEPT It would be best to use a particular nameserver (8.8.8.8 or 8.8.4.4 or 4.2.2.1) and only allow it through: iptables -I INPUT -p udp -m udp -s 8.8.8.8 --sport 53 -j ACCEPT iptables -I INPUT -p udp -m udp -s 8.8.4.4 --sport 53 -j ACCEPT iptables -I INPUT -p udp -m udp -s 4.2.2.1 --sport 53 -j ACCEPT Place these lines on top of /etc/resolv.conf : nameserver 8.8.8.8 nameserver 8.8.4.4 nameserver 4.2.2.1

  • Gravatar Pablo of vDevices.com 10 months

    Thanks bulat!!! It worked.

  • Gravatar Pablo of vDevices.com 10 months

    Does anyone have a script that they created/use for automating the process of setting up iptables after deploying a new droplet? Also, other iptable-entries that I found useful are: Drop all traffic to 127/8 that doesn't use lo0.

    -A INPUT -i lo -j ACCEPT
    Allow all outbound traffic or you can modify this to only allow certain traffic.
    -A OUTPUT -j ACCEPT
    IP Whitelist.
    123.456.789.012
    987.654.321.098
    Default deny unless explicitly allowed policy.
    -A FORWARD -j DROP
    These could simply be entered directly into /etc/iptables/rules.v4

  • Gravatar Pablo of vDevices.com 10 months

    Oops! RE: Dropping all traffic to 127/8 that doesn't use lo0, replace -A INPUT -i lo -j ACCEPT with:

    -A INPUT -d 127.0.0.0/8 -j REJECT
    Also, the complete entries for the IP Whitelist section should be:
    -A INPUT -s 123.456.789.0/23 -j ACCEPT
    -A INPUT -s 987.654.321.098/32 -j ACCEPT
    Grrrr! I guess I need to calm down and re-read my posts b/f I submit them!

  • Gravatar admin 10 months

    If I am using UFW to setup firewall rules, do I still need to use the IP table based solution?

  • Gravatar Kamal Nasser 10 months

    @admin UFW is a wrapper for ip-tables. I recommend using only one of them.

  • Gravatar rajeev1204 10 months

    Hi I have a weird problem with the last step about using iptables persistent. When i use the iptables persistent restart command, my https (or ssl) stops working, i mean people cannot connect via https. What could be the reason for it? If i flush all tables and create rules again including allowing https or port 443 without the persistent part, it works ok.

  • Gravatar Kamal Nasser 10 months

    @rajeev1204 you should run the following command after you edit your iptables rules so iptables-persistent saves the changes: sudo /etc/init.d/iptables-persistent save

  • Gravatar rajeev1204 9 months

    Thanks Kamal Your command works fine, the iptables-persistent start command in the tutorial locked me out of https pages or they timed out.

  • Gravatar Gangster 8 months

    I would like to limit SSH and FTP to 3 ips. How would I modify those rules above

  • Gravatar Kamal Nasser 8 months

    @gasperzi: First, create a chain for SSH:

    sudo iptables -N SSH
    and another chain for FTP:
    sudo iptables -N FTP
    Add the whitelisted IPs to the SSH chain:
    sudo iptables -A SSH -s 1.2.3.4 -j ACCEPT
    sudo iptables -A SSH -s 1.2.3.5 -j ACCEPT
    #etc.
    Do the same for FTP:
    sudo iptables -A FTP -s 1.2.3.4 -j ACCEPT
    sudo iptables -A FTP -s 1.2.3.5 -j ACCEPT
    Then, have iptables check the SSH chain on connection to ssh and see if the IP that is trying to connect is whitelisted and if not, drop the packets:
    sudo iptables -p tcp -m tcp --dport 22 -j SSH
    sudo iptables -p tcp -m tcp --dport 22 -j DROP
    Do the same for FTP:
    sudo iptables -p tcp -m tcp --dport 21 -j FTP
    sudo iptables -p tcp -m tcp --dport 21 -j DROP
    Now, whenever you want to add another IP address to the whitelist, you can simply run one of these commands according to which service you want to access:
    sudo iptables -A SSH -s 111.222.111.222 -j ACCEPT

  • Gravatar Gangster 7 months

    Thanks. I was able to enter whitelisted IPs, but when I wanted to enter: sudo iptables -p tcp -m tcp --dport 22 -j SSH i get this error: iptables v1.4.12: no command specified Try `iptables -h' or 'iptables --help' for more information. what is wrong here. I am using ubuntu x64 droplet

  • Gravatar Kamal Nasser 7 months

    @gasperzi: My bad, try these commands instead:

    sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j SSH
    
    sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
    
    sudo iptables -A INPUT -p tcp -m tcp --dport 21 -j FTP
    
    sudo iptables -A INPUT -p tcp -m tcp --dport 21 -j DROP

  • Gravatar Gangster 7 months

    almost there, now ssh is not working, would you be so kind to check what am I missing? I may have added or missed a rule that was posted later on, or one is in conflict with the one you suggested sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -I INPUT -p udp -m udp --sport 53 -j ACCEPT sudo iptables -I INPUT 1 -i lo -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -N SSH sudo iptables -N FTP sudo iptables -A SSH -s 1.2.3.4 -j ACCEPT sudo iptables -A FTP -s 1.2.3.4 -j ACCEPT sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j SSH sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP sudo iptables -A INPUT -p tcp -m tcp --dport 21 -j FTP sudo iptables -A INPUT -p tcp -m tcp --dport 21 -j DROP sudo iptables -A INPUT -j DROP sudo apt-get install iptables-persistent sudo service iptables-persistent start

  • Gravatar Kamal Nasser 7 months

    @gasperzi: Can you connect to FTP or does it not work either?

  • Gravatar Gangster 7 months

    does not work either

  • Gravatar Kamal Nasser 7 months

    @gasperzi: Clear the SSH and FTP chains:

    sudo iptables -F SSH
    sudo iptables -F FTP
    Get your computer's IP address from here and replace 1.2.3.4 with your IP.
    sudo iptables -A SSH -s your.ip.address -j ACCEPT 
    sudo iptables -A FTP -s your.ip.address -j ACCEPT 

  • Gravatar niranjan81 7 months

    Once the firewall is setup with all the desired ports configured, the last rule for dropping all the rest of the packets blocks out the ssh as well as even the dns hostname resolution. even ping returns unknown hosts / host not reachable. (I have confirmed that the ssh port correctly set) I have been through the step of allowing port 53 on udp, with no sucess, but yet to test it allowing udp as well as tcp (read somewhere that ipv6 requires udp as well as tcp port 53 is required for dns), so, my question is are there any additional ports required to be allowed for the correct host name resolution and/or ssh and/or communication between the virtual server and digital ocean host?

  • Gravatar stlawson 6 months

    Is there a way to make the IPtable persistent and also use: modprobe nf_conntrack_ftp I tried many things and finally gave up and created a script that I run in .profile [and because it requires 'sudo', I have to enter my password twice -- once for SSH login and once for sudo]. Or is it not such a big deal to not use Passive FTP? Ubuntu 12.04/LAMP

  • Gravatar Kamal Nasser 6 months

    @stlawson: Take a look at http://serverfault.com/a/326693 Also at the Saving IP Tables section of this article.

  • Gravatar zulan 6 months

    Exactly what I was looking for, worked perfectly! Thanks

  • Gravatar Benjamin Chait 6 months

    How does iptables impact sFTP? So long as iptables allows ssh, will my sFTP connections also be allowed?

  • Gravatar Kamal Nasser 6 months

    @Benjamin: That is correct. SFTP uses the OpenSSH daemon which is what you use to ssh in.

  • Gravatar gparent 5 months

    This tutorial needs to mention ICMP! iptables -A INPUT -p icmp -j ACCEPT after the ESTABLISHED rule.

  • Gravatar gparent 5 months

    Also: "-p: (port), refers to the the port through which the machine connects" -p has never referred to the port and never will.

  • Gravatar Kamal Nasser 5 months

    @gparent: Nice catch, I've updated the article :] Thanks!

  • Gravatar stlawson 4 months

    "Take a look at http://serverfault.com/a/326693 " On my installation (LAMP on Ubuntu 12.04) I can find no * /etc/rc.d directory * rc.sysinit file * /etc/rc.modules file * rc.modules file [anywhere] * etc/sysconfig dir * sysconfig dir [anywhere] So, I'm still looking for a place to stick the "modprobe nf_conntrack_ftp " command, so it's called whenever the server is bounced. "Also at the Saving IP Tables section of this article." Yup, I did that, which takes care of restoring the iptables, but unless I run "modprobe nf_conntrack_ftp" I'm unable to FTP in when the Transfer Mode [on my FTP client--Filezilla] is set to "Passive" [after a server reboot].

  • Gravatar Kamal Nasser 4 months

    @stlawson: Hmm. I think you can stick the modprobe command in /etc/rc.local. Try it out and let me know if that works.

  • Gravatar Marc Isaacson 4 months

    There is a typo in the original summary of the commands in the IP Table Commands sections. It refers to "--cstate" (two times) instead of "--ctstate" It makes the error again in the explanation in the Basic Firewall section.

  • Gravatar Kamal Nasser 4 months

    @Marc: It's one line but it's wrapped so it appears as two lines. Unfortunate placing really ;)

  • Gravatar stlawson 4 months

    @Kamal: Putting modprobe nf_conntrack_ftp in the /etc/rc.local file appears to have worked. After restarting the server I was still able to FTP in using Passive mode. And, when I try to PuTTY in using a different port # than the one in iptable, I am rejected, so apparently the firewall is up and running! Cool -- thank you!!

  • Gravatar livesliders 4 months

    Is there an advantage to using iptables-persistent rather than just setting rules in /etc/rc.local where they'll be set upon each bootup? No bias just like to understand. I tend to use rc.local a bit for startup stuff.

  • Gravatar Kamal Nasser 4 months

    @livesliders: Both should work just fine, I personally use rc.local

  • Gravatar Dominik Kacprzak 3 months

    My droplet does not have ip tables installed. I'm on Ubuntu, 13.10 x64. Does anybody else have same problem? libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/3.11.0-13-generic/modules.builtin.bin' FATAL: Module ip_tables not found. iptables v1.4.18: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.

  • Gravatar Kamal Nasser 3 months

    @Dominik: You need to run the following command:

    sudo apt-get install linux-image-$(uname -r)

  • Gravatar greivin.lopez 3 months

    Hi, following this guide what is the best way to redirect port 80 to 8080 where is my server listening for requests?

  • Gravatar greivin.lopez 3 months

    Sorry if my previous message is not clear enough. What I want is to know the exact point to include rules to redirect port 80 to 8080 according to the instructions on this article.

  • Gravatar Kamal Nasser 3 months

    @greivin.lopez: See http://richardfergie.com/redirect-port-80-to-a-different-port-using-iptables.

  • Gravatar larrypack about 1 month

    I've done all this and it works, but now I need to allow ssl. What's the command for this?

  • Gravatar Kamal Nasser about 1 month

    @larrypack:

    sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

  • Gravatar larrypack about 1 month

    Thanks Kamal!

  • Gravatar ihk2010 21 days

    When trying to run `sudo iptables -L` I got ``` FATAL: Error inserting ip_tables (/lib/modules/3.8.0-37-generic/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. ``` uname -r 3.8.0-37-generic

  • Gravatar kellen 21 days

    If I use a custom ssh port, would I need to modify: sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT to read, for example: sudo iptables -A INPUT -p tcp --dport 123456 -j ACCEPT Where my ssh port = 123456? I have done this, and followed the rest of the guide, however I do not seem to be able to ssh afterwards - what am I missing?

  • Gravatar Richard M 18 days

    I'm having the same sort of issues as ihk2010. When attempting to do anything with iptables I get the following error; FATAL: Error inserting ip_tables (/lib/modules/3.8.0-36-generic/kernel/net/ipv4/netfilter/ip_tables.ko): Invalid module format I have updated the linux-headers and linux-image but still get the same issues. Can anyone help please?

  • Gravatar serdarn 9 days

    ihk2010, Richard M: Ghost prebuilt image i had were running on 64bit kernel but had 32bit OS. You need to change your kernel version to the same but 32bit on the droplet settings window, then reboot. https://www.digitalocean.com/community/questions/problem-with-iptables-and-ubuntu-ubuntu-13-10

Leave a Comment

Create an account or login:
Ajax-loader