Thursday, September 15, 2016

How to Open up Ports for Web Server with IPTABLES

I have a personal VPN server that I also want to setup as a web server. The VPN server is configured with iptables to drop all other connections, including TCP 80 (HTTP) and TCP 443 (HTTPS). So, here is how to open up those two ports.

Edit /etc/iptables.rules and insert two lines (green) as shown below:
...
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A INPUT -p udp --dport 1701 -j DROP
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
...

Your iptables.rules configuration is probably different from mine, but just make sure to add the two lines in green. Just make sure that these two lines should be inserted before the lines with DROP.

Next, reload the iptable
$ sudo iptables-restore < /etc/iptables.rules

That's it!

No comments:

Post a Comment