Here’s a quick recipe to lock down a fresh Ubuntu 8.04 install. These rules block everything except SSH, giving you a solid baseline to build on.
sudo apt-get install iptables
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -A INPUT -j DROP
sudo sh -c "iptables-save -c > /etc/iptables.rules"
To persist your rules across reboots – loading them on startup and saving them on shutdown – add pre-up and post-down hooks to /etc/network/interfaces:
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save -c > /etc/iptables.rules
From here, punch additional holes as you need them. That’s it – simple, effective, and a sensible first step for any new server.
If you’re hosted at Xeriom Networks and want to be monitored by the monitoring service, allow ICMP Type 8 (ping) from monitor.xeriom.net:
sudo iptables -I INPUT 4 -s 193.219.108.245 -p icmp -m icmp --icmp-type 8 -j ACCEPT
Don’t forget to save the updated rules:
sudo sh -c "iptables-save -c > /etc/iptables.rules"