Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the acf domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php on line 6131

Deprecated: Creation of dynamic property ACF::$fields is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields.php on line 138

Deprecated: Creation of dynamic property acf_loop::$loops is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/loop.php on line 28

Deprecated: Creation of dynamic property ACF::$loop is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/loop.php on line 269

Deprecated: Creation of dynamic property ACF::$revisions is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/revisions.php on line 397

Deprecated: Creation of dynamic property acf_validation::$errors is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/validation.php on line 28

Deprecated: Creation of dynamic property ACF::$validation is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/validation.php on line 214

Deprecated: Creation of dynamic property acf_form_customizer::$preview_values is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-customizer.php on line 28

Deprecated: Creation of dynamic property acf_form_customizer::$preview_fields is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-customizer.php on line 29

Deprecated: Creation of dynamic property acf_form_customizer::$preview_errors is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-customizer.php on line 30

Deprecated: Creation of dynamic property ACF::$form_front is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-front.php on line 598

Deprecated: Creation of dynamic property acf_form_widget::$preview_values is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-widget.php on line 34

Deprecated: Creation of dynamic property acf_form_widget::$preview_reference is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-widget.php on line 35

Deprecated: Creation of dynamic property acf_form_widget::$preview_errors is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-widget.php on line 36

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the all-in-one-wp-migration domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php on line 6131

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/wp_plugin/wp_plugin.php on line 23

Deprecated: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 54

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 1539

Deprecated: strtolower(): Passing null to parameter #1 ($string) of type string is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 828

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the rocket domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php on line 6131

Deprecated: Creation of dynamic property acf_field_oembed::$width is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields/class-acf-field-oembed.php on line 31

Deprecated: Creation of dynamic property acf_field_oembed::$height is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields/class-acf-field-oembed.php on line 32

Deprecated: Creation of dynamic property acf_field_google_map::$default_values is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields/class-acf-field-google-map.php on line 33

Deprecated: Creation of dynamic property acf_field__group::$have_rows is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields/class-acf-field-group.php on line 31

Deprecated: Creation of dynamic property acf_field_clone::$cloning is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/pro/fields/class-acf-field-clone.php on line 34

Deprecated: Creation of dynamic property acf_field_clone::$have_rows is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/pro/fields/class-acf-field-clone.php on line 35

Deprecated: Creation of dynamic property jh_acf_field_table::$settings is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-table-field/class-jh-acf-field-table.php on line 23

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902
{"id":24631,"date":"2015-11-05T13:36:48","date_gmt":"2015-11-05T11:36:48","guid":{"rendered":"https:\/\/upcloud.com\/community\/tutorials\/configure-iptables-centos"},"modified":"2015-11-05T13:36:48","modified_gmt":"2015-11-05T11:36:48","slug":"configure-iptables-centos","status":"publish","type":"tutorial","link":"https:\/\/studiogo.tech\/upcloudold\/tutorial\/configure-iptables-centos\/","title":{"rendered":"How to configure iptables on CentOS"},"content":{"rendered":"\n

The user-space application program iptables allows configuring the tables provided by the Linux kernel firewall, as well as the chains and rules it stores. The kernel module currently used for iptables only applies to IPv4 traffic, to configure firewall rules for IPv6 connections instead use ip6tables, which respond to the same command structures as iptables. If you are using CentOS 7, you should look into configuring firewalld, which combines the functionality of iptables and ip6tables, though it\u2019s possible to still use iptables just the same.<\/p>\n\n\n\n

\n
Try UpCloud for free!<\/a><\/div>\n<\/div>\n\n\n\n

Listing current rules<\/h2>\n\n\n\n

On CentOS and other Red Hat variants, iptables often comes with some pre-configured rules, check the current iptable rules using the following command.<\/p>\n\n\n\n

sudo iptables -L<\/pre>\n\n\n\n
This will print out a list of three chains, input<\/em>, forward<\/em> and output<\/em>, like the empty rules table example output below.<\/p>\n\n\n\n
Chain INPUT (policy ACCEPT)\ntarget prot opt source destination\nACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED\nACCEPT icmp -- anywhere anywhere\nACCEPT all -- anywhere anywhere\nACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh\nREJECT all -- anywhere anywhere reject-with icmp-host-prohibited\n\nChain FORWARD (policy ACCEPT)\ntarget prot opt source destination\nREJECT all -- anywhere anywhere reject-with icmp-host-prohibited\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt source destination<\/pre>\n\n\n\n
The chain names indicate which traffic the rules in each list will be applied to, input<\/em> is for any connections coming to your cloud server, output<\/em> is any leaving traffic and forward<\/em> for any pass through. Each chain also has its policy<\/em> setting which determines how the traffic is handled if it doesn\u2019t match any specific rules, by default it\u2019s set to accept<\/em>.<\/p>\n\n\n\n
Adding rules<\/h2>\n\n\n\n
Firewalls can commonly be configured in one of two ways, either set the default rule to accept and then block any unwanted traffic with specific rules, or by using the rules to define allowed traffic and blocking everything else. The latter is often the recommended approach, as it allows pre-emptively blocking traffic, rather than having to reactively reject connections that should not be attempting to access your cloud server.<\/p>\n\n\n\n
To begin using iptables, you should first add the rules for allowed inbound traffic for the services you require. Iptables can track the state of the connection, so use the command below to allow established connections continue.<\/p>\n\n\n\n
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT<\/pre>\n\n\n\n
You can check that the rule was added using the same sudo iptables -L<\/em> as before.<\/p>\n\n\n\n
Next, allow traffic to a specific port to enable SSH connections with the following.<\/p>\n\n\n\n
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT<\/pre>\n\n\n\n
The ssh<\/em> in the command translates to the port number 22, which the protocol uses by default. The same command structure can be used to allow traffic to other ports as well. To enable access to an HTTP web server, use the following command.<\/p>\n\n\n\n
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT<\/pre>\n\n\n\n
After adding all the allowed rules you require, change the input policy to drop.<\/p>\n\n\n\n
Warning:<\/span> Changing the default rule to drop will permit only specifically accepted connection. Make sure you\u2019ve enabled at least SSH as shown above before changing the default rule.<\/p>\n\n\n\n
sudo iptables -P INPUT DROP<\/span><\/pre>\n\n\n\n
The same policy rules can be defined for other chains as well by entering the chain name and selecting either DROP or ACCEPT.<\/p>\n\n\n\n
Saving and restoring rules<\/h2>\n\n\n\n
Now if you were to restart your cloud server all of these iptables configurations would be wiped. To prevent this, save the rules to a file.<\/p>\n\n\n\n
sudo iptables-save > \/etc\/sysconfig\/iptables<\/pre>\n\n\n\n
You can then simply restore the saved rules by reading the file you saved.<\/p>\n\n\n\n
# Overwrite the current rules\nsudo iptables-restore < \/etc\/sysconfig\/iptables\n# Add the new rules keeping the current ones\nsudo iptables-restore -n < \/etc\/sysconfig\/iptables<\/pre>\n\n\n\n
To automate the restore at reboot CentOS offers a system service by the same name, iptables. However, it does not come in the default configuration and needs to be installed manually.<\/p>\n\n\n\n
sudo yum install iptables-services<\/pre>\n\n\n\n
Once installed, start and enable the service.<\/p>\n\n\n\n
sudo systemctl start iptables\nsudo systemctl enable iptables<\/pre>\n\n\n\n
Afterwards, you can simply save the current rules using the following command.<\/p>\n\n\n\n
sudo service iptables save<\/pre>\n\n\n\n
These are just a few simple commands you can use with iptables, which is capable of much more. Read on to check on some of the other options available for more advanced control over iptable rules.<\/p>\n\n\n\n
Advanced rule setup<\/h2>\n\n\n\n
As per basic firewall behaviour, the rules are read in the order they are listed on each chain, which means you\u2019ll need to put the rules in the correct order. Appending new rules adds them to the end of the list. You can add new rules to a specific position of the list by inserting them using iptables -I <index><\/em> -command, where the <index><\/em> is the order number you wish to insert the rule. To know which index number to enter, use the following command.<\/p>\n\n\n\n
sudo iptables -L --line-numbers<\/pre>\n\n\n\n
Chain INPUT (policy DROP)\n num target prot opt source   destination\n 1   ACCEPT all  --  anywhere anywhere ctstate RELATED,ESTABLISHED\n 2   ACCEPT tcp  --  anywhere anywhere tcp dpt:ssh\n 3   ACCEPT tcp  --  anywhere anywhere tcp dpt:http<\/pre>\n\n\n\n
The number at the beginning of each rule line indicates the position in the chain. To insert a new rule above a specific existing rule, simply use the index number of that existing rule. For example to insert a new rule to the top of the chain, use the following command with index number 1.<\/p>\n\n\n\n
sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT<\/pre>\n\n\n\n
If you wish to remove an existing rule from a certain chain, use the delete command with the parameter -D<\/em>. The easiest way to select the rule for deletion is to use the index numbers explained above. For example to delete the second rule on the input chain, use this command<\/p>\n\n\n\n
sudo iptables -D INPUT 2<\/pre>\n\n\n\n
It\u2019s also possible to flush all rules of a specific chain or even the whole iptables using the -F<\/em> -parameter. This is useful if you suspect iptables is interfering with your attempted network traffic, or you simply wish to start configuring again from a clean table. Remember to save the rules to a file before flushing the table.<\/p>\n\n\n\n
Warning:<\/span> Make sure you set the default rule to ACCEPT before flushing any chain.<\/p>\n\n\n\n
sudo iptables -P INPUT ACCEPT<\/span><\/pre>\n\n\n\n
Afterwards, you can go ahead with clearing other rules. Remember to save the rules to a file before flushing the table in case you want to restore the configuration later.<\/p>\n\n\n\n
# Clear input chain\nsudo iptables -F INPUT\n# Flush the whole iptables\nsudo iptables -F<\/pre>\n\n\n\n
With the iptable flushed, your server could be vulnerable to attacks. Make sure to secure your system with an alternative method while disabling iptables even temporarily.<\/p>\n","protected":false},"featured_media":27372,"comment_status":"open","ping_status":"closed","template":"","community-category":[121,111],"class_list":["post-24631","tutorial","type-tutorial","status-publish","has-post-thumbnail","hentry","community-category-security","community-category-networking"],"acf":[],"_links":{"self":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/tutorial\/24631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/tutorial"}],"about":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/types\/tutorial"}],"replies":[{"embeddable":true,"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/comments?post=24631"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/media\/27372"}],"wp:attachment":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/media?parent=24631"}],"wp:term":[{"taxonomy":"community-category","embeddable":true,"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/community-category?post=24631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}