@richardg
If you’re using Ubuntu, a more simplified alternative (and overlay on top of) iptables
is ufw
. You should assume the worst and prepare for it, regardless of the access method. Using ufw
you can set up a deny all rule first, then set up your allow rules individually.
The deny all should be set first as, IIRC, the rules are followed in the order they are set so, for instance, allowing Port 22, then setting up a deny all rule will still allow access on Port 22 since the allow rule was set first.
On Ubuntu you can use something such as:
ufw disable
ufw default deny \
&& ufw allow 22/tcp \
&& ufw allow 80/tcp \
&& ufw allow 443/tcp \
&& ufw allow 53/tcp \
&& ufw allow 53/udp \
&& ufw enable
And then type in y
and hit enter/return.
What The Commands Do
- Disables
ufw
, if enabled.
- Sets the Default Rule to Deny ALL Connections.
- Allows Connections on Port 22 (SSH) via TCP
- Allows Connections on Port 80 (HTTP) via TCP
- Allows Connections on Port 443 (HTTP) via TCP
- Allows Connections on Port 53 (DNS) via TCP
- Allows Connections on Port 53 (DNS) via UDP
- Enables
ufw
Port 53 (DNS) is setup to allow connections on both TCP and UDP as without these rules in place, you may run in to issues using apt-get update | upgrade | install
since connects to and from may not be able to resolve properly.
The others simply allow connections through so that you can connect to SSH and receive incoming requests via the standard HTTP/HTTPS ports.
You can add additional rules by simply changing the port number and choosing a protocol, like so:
#+ ufw allow #/protocol
ufw allow 8899/tcp
Most connections are going to be over TCP unless there’s something that explicitly requires that UDP be allowed. That should be stated, otherwise it’s safe to say that TCP should be used as the protocol.
The benefit here is that by using ufw
you’re covering your IPv4, IPv6 and Private Network IP’s with one solution.