A packet is data: a sequence of bits. An example: an HTTPS request is stored in one or more packets. netfilter filters incoming and outgoing packets. iptables is considered a firewall; it defines rules, known as chains, for netfilter to filter packets. At minimum, a chain defines the table and target. The table classifies the origin of the packet. Examples of tables are input for incoming packets, and output for outgoing packets. The target is the action taken on the packet. Examples of targets are accept, reject, and drop. As an example, a chain may drop all packets from an ip address. fail2ban generates chains. An example: if an ip address fails 20 ssh login attempts within a minute, fail2ban generates a chain to drop all incoming packets from the ip address.
sudo apt-get purge ufw
to remove ufw, if it is installed on the server. ufw is a firewall which may conflict with iptables.sudo apt-get install iptables
to install iptables.sudo iptables -F
to flush (remove) any existing chains.sudo iptables -L -v
to list chains. Confirm there are no chains.sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
to accept incoming packets associated with a current or former connection that successfully passed at least one incoming and outgoing packet. sudo iptables -A INPUT -i lo -j ACCEPT
to accept incoming packets to a loopback address; this allows nginx to pass requests to tinyshop.sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
to accept incoming packets to port 22. ssh uses port 22.sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
to accept incoming packets to port 80. http uses port 80.sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
to accept incoming packets to port 443. https uses port 443.sudo iptables --policy INPUT DROP
to drop incoming packets if no chain is matched.sudo apt install fail2ban
to install fail2ban./etc/fail2ban
directory.sudo cp jail.conf jail.local
to copy jail.conf into jail.local. If a fail2ban update changes jail.conf, jail.local will remain unchanged.jail.local
in the nano text editor.[sshd]
input enabled = true
to enable the ssh jail.sudo systemctl enable fail2ban
to enable fail2ban.sudo systemctl start fail2ban
to start fail2ban.sudo systemctl status fail2ban
to confirm fail2ban is active.sudo /sbin/iptables-save
to save the chains.