How do I lock down my firewall so that only my services can communicate?

Linode Staff

I want to setup my firewall so that only my services can communicate. How do I do this?

2 Replies

Assumptions

This answer assumes we are using iptables and ip6tables to configure your firewall. There are many other options. You will want to work from the LISH console while altering your firewall, otherwise you may find yourself blocking your own terminal connection

Reduce Attack Surface by removing unneeded services

The Linode Securing your Server Guide provides a good explanation of how to find and disable services you will do not need.

Determine what Protocol Suites you will need

There are two basic protocol suites that you will need to pay attention to: IPv4 and IPv6. If you do not need IPv6 it may be wise to completely disable it. In general most services assume you have IPv4 setup, so it is usually not a good idea to disable it.

To disable IPv6:

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

Note which services you are using

Once only the services you need are running, you can use the sudo ss -tulpn command to see which ports are in use.

Decide if you will allow your Linode to be pinged.

Using the ping command on your Linode can be useful to see if it up and running, but it does represent another method by which it can be attacked.

Write and Deploy your rules

We will need to create firewall rules separately for IPv4 and IPv6 and you will use the commands iptables and ip6tables respectively to do so.

The Control Network Traffic with iptables Guide will explain the mechanics of how to setup the rules you want. We will focus on writing our rules for IPv4 here:

This section of the above guide is good for a basic templates for the type of firewall you will want. Customize the rules you want to match the services you are running on your server as you noted previously.

https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/#basic-iptables-rulesets-for-ipv4-and-ipv6

Make sure your Firewall rules come back up when you reboot

Follow the next section of the guide to do this:

https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/#introduction-to-iptables-persistent

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct