.webp?table=collection&id=fff97571-0fee-81cf-8d7c-000bfde68952&t=fff97571-0fee-81cf-8d7c-000bfde68952&width=800&cache=v2){kind=small}
type
status
date
slug
summary
tags
category
icon
password
I recently purchased a Hong Kong cloud server from Carbon Cloud Coal Boss to host tiny-tiny-rss, a monitoring panel, and run some Docker services. It's mainly used to monitor the network status of my home OpenWRT main router and side routers. The speed and stability are both OK, but the web interface doesn't provide options for firewall configuration. The system I installed is Ubuntu 22.04, and I'm using iptables, which I'm somewhat familiar with. I can handle basic firewall rule configurations. So, let's get started with the setup.
๐ IPv4 Rule Configuration
Firstly, it's recommended to use
iptables -L to view existing rules to ensure there won't be any conflicts. Also, it's advisable to configure firewall rules in order, starting with local settings, then opening ports, and finally global settings to avoid being unable to log into the server halfway through the iptables rule configuration.Allow Local Loopback Interface
Allow traffic on the lo interface, which is the system's own communication and should not be blocked.
Allow Established Connections
Allow established and related connections to continue passing through so the server can properly handle response traffic.
Allow Specific Service Ports
Allow traffic for the service ports you need, such as SSH, HTTP/HTTPS, DNS, etc. Add specific ports as needed.
SSH
If you've changed the SSH listening port in sshd_config, replace 22 with your configured port.
HTTP (80) and HTTPS (443)
Basic access traffic.
Tiny Tiny RSS (181)
DNS
If you plan to set up a DNS server on your cloud server, it's recommended to allow it. If not, you can skip adding DNS port rules.
ICMP (Ping)
Allow ICMP traffic for server availability checks.
Limit SSH Login Attempts
Add rules to limit SSH login attempts to protect the server from brute-force attacks. Currently, it's configured to allow 5 attempts per minute (1 attempt per minute is also great).
Log and Discard Other Traffic
Add logging rules and discard all other traffic that is not explicitly allowed.
Set Default Policy
After all rules are added, set the default policy to drop unmatched input and forwarded traffic, and allow output traffic. This step is usually done after the rules to avoid accidentally interrupting services during the setup process.
Rule Persistence
I'm using Ubuntu, and I don't want to use iptables-save and iptables-restore. I want the system to automatically load the configured rules after each reboot, so I need to use iptables-persistent.
During the installation, answer '
Yes' to all prompts.
Save the configured rules:๐ IPv6 Rule Configuration
Since the cloud server is also allocated an IPv6 address, and I prefer to use IPv6 in general, I also need to configure the IPv6 iptables firewall rules. The configuration is basically the same as for IPv4, but the commands are replaced with ip6tables.
Allow Local Loopback Interface
Allow traffic on the lo interface, which is the system's own communication and should not be blocked.
Allow Established Connections
Allow established and related connections to continue passing through so the server can properly handle response traffic.
Allow Specific Service Ports
Allow traffic for the service ports you need, such as SSH, HTTP/HTTPS, DNS, etc. Add specific ports as needed.
SSH
If you've changed the SSH listening port in sshd_config, replace 22 with your configured port.
HTTP (80) and HTTPS (443)
Basic access traffic.
Tiny Tiny RSS (181)
DNS
If you plan to set up a DNS server on your cloud server, it's recommended to allow it. If not, you can skip adding DNS port rules.
ICMP (Ping)
Allow ICMP traffic for server availability checks.
Limit SSH Login Attempts
Add rules to limit SSH login attempts to protect the server from brute-force attacks. If you've changed the SSH service listening port in sshd_config, add limit login attempt rules for both the modified port and the original 22 port. No good guys scan port 22.
Log and Discard Other Traffic
Add logging rules and discard all other traffic that is not explicitly allowed.
Set Default Policy
After all rules are added, set the default policy to drop unmatched input and forwarded traffic, and allow output traffic. This step is usually done after the rules to avoid accidentally interrupting services during the setup process.
Rule Persistence
I'm using Ubuntu, and I don't want to use iptables-save and iptables-restore. I want the system to automatically load the configured rules after each reboot, including support for both IPv4 and IPv6 rules. These requirements can be met with iptables-persistent.
During the installation, answer 'Yes' to all prompts.
Save the configured rules:
๐ค Summary
Check if the rules are successfully loaded:
๐ Reference Articles
- Ubuntu Community Wiki: IptablesHowTo
ย
If you have any questions about the installation or use of cloud servers, feel free to leave a comment below for discussion.
ย