This guide is only for people who have a good level in dedicated server administration with linux environment. the handling of a firewall can be very dangerous. Indeed, you can block your server what will force you to start it again in HARD mode. If you make a mistake on the final script and you set it in auto startup, you won't have any access on your own server any more! Be very careful and if you don't feel comfortable at all with this guide, don't set up your firewall!

It's a software which blocks some ports on your own server and can open other ones. Imagine your house for example: You have a front door and a back door. You never use the one at the back so you better block it up.why? Because it's potential risk for a thief to come in. With a firewall it's the same, we close every port, we don't need.

First of all, be very careful that you are going to do. Indeed, you risk to close a wrong port. Imagine if you close the SSH port therefore you will have either to restart the server via telnet, or via webmin or reboot.

By default opened ports on OVH server are :

These ports are open by default, but you might have running software which open other ones.It's up to you to know which one you have to keep or not. Ones you have made your choice, you're ready to start.

Iptables is a powerfull firewall, installed on all OVH servers. The process is as follows: We will open some ports and close the rest. In this example, only 22 port (SSH) and 80 (HTTP) will remain open. This is only an example, in the future, adapt it according to your need.

It's done, iptables is update, we can continue.

We list the folowing rules:

We can see 3 chains: Input, Forward and Output. Firstly, we'll work on Input chain (for the input traffic). We authorize 22 and 88 ports:

-A INPUT : We set our rule on input.
-i eth0 : Here, we are only concerned by the ethernet interface.
-p tcp : The concerned protocol is the TCP protocol (We only work on this one for the moment).
--dport 22 : The rule will be applied on the SSH port (number 22).
-j ACCEPT : We accept this traffic.

We display all rules:

The input section is filled slowly, it's a good sign ;).

We can see that the default policy is to accept everything => Chain INPUT(policy ACCEPT). We want to block all the traffic, which we didn't authorize previously. Therefore We'll add a rule which will block the others ports. But we encounter a problem:

When a connection will be established from our server to the kernel.org server to download the new kernel for example, it will establish a connection to the site and will wait for its response. The request will reach the kernel.org correctly and but How will it come back to the server, as we blocked everything?

Fortunately, iptables is powerful and can sort packets according to their states. We will then add a rule:

Now, we can block the rest (Warning, it's where the firewall will be fully in action, check that you have correctly configured your rules otherwise you will block your server!):

For this rule, we have 2 choices. The first solution, we drop packets, i.e if a packet arrives and it isn't accepted, we delete it. The client will wait for a response until a timeout. The second solution is to reject packets (REJECT instead of DROP). If a unsolicited packet arrives, we send back to the client an error and he won't wait as he has a negative response.

Reject packets is cleaner but to throw it is more secure. Indeed, imagine someone who sends you packets in loop to a wrong port, your server won't process them, whereas with the reject rule, it will take time to answer.

It's up to you ;)

To reset your firewall, type:

This command will delete all the rules of Input part. If you want to add a rule between the first and the second, type this:

To delete the rule number 3, type this:

To block totally an Ip address:

Now, the firewall is in action. Try to scan your server, you will be able to see only 22 and 80 ports open. If the scan is very slow, it's because of the DROP rule.

For your dedicated server:

If you want to block the ICMP protocol (Ping requests), you have to let at least ping.ovh.net, proxy.p19.ovh.net, proxy.rbx.ovh.net and proxy.ovh.net to ping your server. It enables to the OVH team to check the status of your server.

In addition, you have to let the Ip address as the following example:

The Ip address of your server is aaa.bbb.ccc.ddd You have to pass: aaa.bbb.ccc.250 Example: 213.186.57.153 must pass 213.186.57.250 for the SLA server and 213.186.57.251 for the MRTG server in order to benefit from the RTM.

If you are an owner of HG server, pass Ip adress aaa.bbb.ccc.249 (temporary rule).

If you block all ping requests as well as Ovh's requests, we won't be able to check the state of your server and if a problem occurs, we won't be informed. To authorize ping from our servers, type the following rules:

Concerning SSH, if you want to restrict the access from your Ip only, we advise you to keep cache.ovh.net. Indeed, in case of problem on your server, we'll be able to intervene and fix it. If you close the 22 port for Ovh technicians, we won't be able to help you if your server is blocked.

To authorize SSH from our server, type the following rule:

f you have a RAID filer, don't forget to authorize the NFS connections. We can authorize everything that comes from intern network 192.168.0.0/16:

If you have a cluster configuration, you must authorize the 79 port in order OCO to communicate with the distributor of load.

For your RPS server:

The interface monitored by our services is the eth0 with the firewall rules applied to it.

If you block all ping requests, even those with OVH, we will not be able to monitor the correct working of your server and if it falls, we will not warned. To allow ping from our servers, enter the following rules:

It will also allow your filer, to find it use the command:

The IP of your filer: 91.121.191.16
The rule must be added:

Here's an example of complete script to protect your server via iptables. It is permissive, because all services present on your server, are reachable but it can be used for your own configuration:

In these rules, you must replace xx.xx.xx.xx by the Ip address of server, which you are able to connect to your server in FTP and SSH.

Once your server is perfectly configured, you have to create a script which will execute at the beginning of each boot of your server. Here's an example to put in a file named "firewall" for example in the directory /etc/init.d/:

Give it the 700 rights and type "/etc/init.d/firewall start" to start it and "/etc/init.d/firewall stop" to stop it. To launch it automatically at the startup:

Before launching the script at each startup, check that is correct otherwise your server will be absolutely blocked!