In a typical network, all traffic to the outside world has to pass one router/computer/cluster. On this router, you can prevent access to specific network ports. It is called the firewall.

Now every Linux kernel can play firewall by deciding which network traffic to forward and which not. Starting with Linux 2.4 the respective command is iptables.

Check if your firewall is running

To check if your firewall is running, use the command iptables --list. Here's an output that means your firewall is turned off:

iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you look at it, you will find that for all incoming packets ("Chain INPUT" entry above), the policy is set to ACCEPT with no exceptions. The same is true for FORWARD and OUTPUT.

Stop your firewall

To stop your firewall issue

iptables --flush

Configure your firewall

Allow port 5901 only from localhost

root@cloud-server-01:~# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -d 127.0.0.1 -j ACCEPT
root@cloud-server-01:~# iptables -A INPUT -p tcp --dport 5901 -j DROP

Delete rules

To delete a rule, issue the same command as you did with -A with -D:

• create the rule:

root@cloud-server-01:~# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -d 127.0.0.1 -j ACCEPT

• delete the rule:

root@cloud-server-01:~# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -d 127.0.0.1 -j ACCEPT

drop some chains

root@cloud-server-01:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

[...]     

Chain ufw-before-forward (0 references)
target     prot opt source               destination     

root@cloud-server-01:~# iptables --delete-chain ufw-before-forward

See also

• security