Setup basic firewall in OpenVZ hosted Ubuntu 10.04

The default firewall configuration tool for Ubuntu is ufw. Sadly it doesn’t work correctly inside OpenVZ based VPS (at least for me).

Configuring iptables firewall manually is not that difficult. Here are guidelines how to setup the basic rules and make the firewall start automatically on boot on Ubuntu 10.04.

First, make sure that you have working console access to your server. You might lose your SSH connectivity if firewall is misconfigured.

Then install the required packages:

apt-get install iptables
apt-get install iptables-persistent

Then setup the basic rules allowing only incoming  SSH, HTTP and logging:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT 
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A INPUT -j DROP
iptables -A FORWARD -j REJECT
iptables -A OUTPUT -j ACCEPT

Read more about rules at:

Then save the rules to a file

iptables-save > /etc/iptables/rules

Finally make iptables to be loaded at boot:

update-rc.d iptables-persistent defaults

If everything went well, you’ll have firewall that starts up on boot. In case of new rules, just edit the file /etc/iptables/rules and run “/etc/init.d/iptables-persistent start”.

You can always check the active rules with command:

iptables -L

In case there is something wrong with the rules, you can disable the firewall with command:

iptables -F

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: