How to open ports on Ubuntu and CentOS using IPtables

Having a properly configured firewall is very important for the overall security of your server. In this tutorial, we are going to show you how to set up a firewall and open the ports you need on your Linux VPS.

While there are some powerful tools for managing firewall on a Linux server, we will use Iptables in this tutorial. In case you are using UFW on Ubuntu or Firewalld on CentOS, you can check our respective guides on how to set up a firewall with UFW on Ubuntu or how to set up a firewall with FirewallD on CentOS.

First of all, connect to your Linux VPS via SSH and list the current Iptables rules using the following command:

sudo iptables -L

If you have recently configured your server, then there will be no Iptables rules and the output should be similar to the one below:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If there are already some rules that you do not want to be there, you can clear the rules using the following command:

sudo iptables -F

Be careful with this command, especially if the default policy is on your chains INPUT and OUTPUT is set to something other than ACCEPT because it might block you on your server.

The first firewall rule to add is as follows:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

This basically tells your firewall to accept the current SSH connection. The next step is to allow traffic on the loopback interface and open up some of the main ports like 22 for SSH and 80 for HTTP.

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

You are now ready to open other ports that you want to allow traffic to. Use the same command as you used to open port 22 and 80 in the previous example.

List existing rules using:

sudo iptables -L

The output should be similar to the one below:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

For more detailed products, you can use:

sudo iptables -nvL

And the output should be like this:

Chain INPUT (policy ACCEPT 4 packets, 255 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 283 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Now you can implement the rule DROP, which will block all incoming packets that do not match one of the rules ACCEPTwhich we added earlier.

sudo iptables -P INPUT DROP

The last thing you need to do is save the rules and make them persistent. If you are using Ubuntu VPS, you can install iptables-persistent for this purpose.

sudo apt-get install iptables-persistent

AT Ubuntu 14.04 you can use the following commands to save / reload your iptables rules:

sudo /etc/init.d/iptables-persistent save
sudo /etc/init.d/iptables-persistent reload

On Ubuntu 16.04 use the following commands:

sudo netfilter-persistent save
sudo netfilter-persistent reload

If you are using a CentOS VPS, you can use the following command to save your iptables rules:

service iptables save

PS … If you liked this post, share it with your friends on social networks using the buttons on the left side of the post, or just leave a comment below.

Sidebar