IPTables is the most comprehensive tool for managing traffic rules on your VPS server. The strange thing is that you might never have used it directly by invoking the “iptables” command on your server, but all the front-end tools like firewalld and CSF use IPTables in the background.
We have a tutorial on NameHero on how to install CSF, so you can check that out because CSF is a lot more user-friendly than IPTables, and if you can get away with it, you shouldn’t try and modify the IPTables rules directly.But if you need to know how to explicitly use IPTables to open or add ports on your VPS server, you’ve come to the right place.
This article will not only explain the steps to open a port, I’ll also talk about common mistakes, how IPTables works, and what IPTables does that other tools can’t.
Opening A Port On IPTables
Let’s say you want to use SSH on port 22 on your VPS server. Normally, when you purchase a VPS with NameHero, it comes with the SSH port already open. But in case you’re doing everything yourself, here’s the command to open port 22 for SSH using IPTables:
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
It’s easier to explain how to open a port on IPTables using an example. So let’s deconstruct the above example to see how it works.
- “iptables’ is the command we use to invoke the IPTables tool
- -A INPUT tells the system that we want to apply the following rule to the INPUT chain. This chain is invoked whenever traffic is incoming, as is the case for SSH traffic
- –dport 22 tells IPTables that we want to focus our attention on port number 22. The “d” in “dport” stands for destination.
- -m conntrack –ctstate NEW,ESTABLISHED . This is a single section of the command. Conntrack is the module that allows IPTables to filter packets not just as individual packages, but as part of a connection. So we specify that port 22 is only to be opened for packets that are part of a new or established SSH connection. This allows us to defend against certain types of malicious connections that use an INVALID state.
- -j ACCEPT is called the “target action”. It means that if the traffic matches the preceding rules, then we can accept the packet.
Taken together, it means that we’ve opened port number 22 for SSH connections.
How To View All Open Ports
Once you run the above command, we can use either of the following two commands to check which ports are open:
Either:
- ss -tuln
- netstat -tuln
Here’s a screenshot of running the above command to open port 22, and then using both commands to see which ports are open:
As you can see, the highlighted sections of both commands show that port 22 is open for all incoming IP addresses and the state of the port is currently in “LISTEN” mode.
Deleting or Removing an IPTables Rule
As you can see, creating a new IPTable rule is easy. But is it as easy to delete it? To start with, you can simply re-run the IPTables command using the “-D” parameter instead of the “-A”. This will delete all instances of the rule. So the following command:
sudo iptables -D INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Will delete the rule. Note how it’s exactly the same as the insert command, except that it starts with “iptables -D” and not “iptables -A”.
What if You Forgot the First Command?
IPTables rules can be hard to write, and it’s entirely possible that you no longer remember the original rule that you used to create the command in the first place. To solve this problem, we can list the rules in IPTables, number them, and then delete the number. Here’s how you do it.
First, type the following command to get all the IPTable rules:
sudo iptables -L --line-numbers -n
The “-L” parameter tells IPTables to list all the rules in all the chains. The “–line-numbers” argument instructs IPTables to assign a number to each IPTable rule. Finally, “-n” tells the tool not to resolve the IP addresses to hostnames via DNS lookups, since it’s a waste of time and can significantly slow down the performance of the command.
Here’s the output I get when I use the above command:
As you can see, it outputs the list of rules, and the one we just added in the previous section is under “INPUT” and has the line number “1”. So you don’t need to remember the exact rule that you created. You can specify the line number of the rule you want to remove like this:
sudo iptables -D INPUT <line_number>
Here, substitute <line_number> with the number you wish to delete – in this case, “1”.
No Need to Restart Anything – Changes are Automatic
Unlike other tools like ConfigServer Firewall, where you need to save and restart the tool after making changes for it to take effect, you don’t need to restart anything after you make modifications to your IPTables rules. This is because IPTables rules are applied directly to the Linux Kernel’s packet filtering system. Purchasing a managed VPS with NameHero comes with ConfigServer Firewall (CSF) by default.
This is a small time-saving measure of IPTables. Despite this, I don’t think it’s worth the complexity of IPTables, as other tools are much easier to use and more user-friendly. And there’s another downside of IPTables as well.
IPTables Rules are Lost Upon Restart!
A curious feature of IPTables is that the rules aren’t stored on the file system, and thus all the rules are lost when you restart the server! As someone who dislikes complexity, this is rather shocking and is a prime reason why you should stay away from IPTables.
If you’re relying solely on IPTables, you need a method to save and restore the IPTables rules when the server starts. One way to do this is to use the ip-tables-save command like this:
sudo iptables-save > /path/to/your/rules_file
And after your server restarts, you can reload the IPTables rules using the iptables-restore command as such:
sudo iptables-restore < /path/to/your/rules_file
You can ensure that the iptables-restore command runs automatically by creating a service and causing it to run. But again – it requires a lot of extra setup work, increases the chances of something going wrong, and creates more things for you to track and potentially forget.
An easier way is to install IPTables-specific packages that restore your IPTables rules. For Debian-based systems like Ubuntu, you can install the package like this:
sudo apt-get install iptables-persistent
And if you’re using CentOS, you can use:
sudo yum install iptables-services
These packages will load the IPTables rules automatically when the system restarts. However, they do not automatically save the rules when you make modifications to them. That’s something you still need to handle on your own.
Conclusion
IPTables is a powerful tool to manage your firewall – but it’s perhaps a little too powerful, and pays for that power with complexity and an absurd system that requires you to save your IPTables rules manually and restore them after your server reboots. I suggest you stay away from IPTables and use a more sensible system like ConfigServer Firewall (CSF) that handles all the complexity for you.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply