A packet is data: a sequence of bits. An example: an HTTPS request is stored in one or more packets. netfilter filters incoming and outgoing packets. iptables is considered a firewall; it defines rules, known as chains, for netfilter to filter packets. At minimum, a chain defines the table and target. The table classifies the origin of the packet. Examples of tables are input for incoming packets, and output for outgoing packets. The target is the action taken on the packet. Examples of targets are accept, reject, and drop. As an example, a chain may drop all packets from an ip address. fail2ban generates chains. An example: if an ip address fails 20 ssh login attempts within a minute, fail2ban generates a chain to drop all incoming packets from the ip address.
sudo apt-get purge ufw to remove ufw, if it is installed on the server. ufw is a firewall which may conflict with iptables.sudo apt-get install iptables to install iptables.sudo iptables -F to flush (remove) any existing chains.sudo iptables -L -v to list chains. Confirm there are no chains.sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT to accept incoming packets associated with a current or former connection that successfully passed at least one incoming and outgoing packet. sudo iptables -A INPUT -i lo -j ACCEPT to accept incoming packets to a loopback address; this allows nginx to pass requests to tinyshop.sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT to accept incoming packets to port 22. ssh uses port 22.sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT to accept incoming packets to port 80. http uses port 80.sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT to accept incoming packets to port 443. https uses port 443.sudo iptables --policy INPUT DROP to drop incoming packets if no chain is matched.sudo apt install fail2ban to install fail2ban./etc/fail2ban directory.sudo cp jail.conf jail.local to copy jail.conf into jail.local. If a fail2ban update changes jail.conf, jail.local will remain unchanged.jail.local in the nano text editor.[sshd] input enabled = true to enable the ssh jail.sudo systemctl enable fail2ban to enable fail2ban.sudo systemctl start fail2ban to start fail2ban.sudo systemctl status fail2ban to confirm fail2ban is active.sudo /sbin/iptables-save to save the chains.