Safety first. We all know this saying, which applies to almost all situations in life. Of course also for the operation of a server. The stupid thing is that most servers are not secure in their basic configuration. Why? Because all ports are often open on a standard server. Most of the time, however, this is not the wish at all, because nowadays a server often only does exactly one thing. MySQL database? Own server. Redis Cache? Own server. Apache web server? Ok, that's in the name. Own server. However, this also means that normally only one port has to be open to the outside. And in many cases the "outside" is also limited.

Firewalls have been implemented for exactly such cases. And under Linux, the wonderful tool iptables is used. With this tool, ports, protocols, network interfaces and IP addresses can be released and blocked. Here is a list of the most important commands. It is important that each block command is accompanied by an allow command. We will only deal with the Allow commands here. Think positively.

Let's start with the classic. We want to release a special port on a server. Port 80, for example, would be HTTP, 443 the one for HTTPS. To release these ports, we use the following command.
firewall:iptables:ports:allow:port Block a port from incoming traffic.
$ sudo iptables -A INPUT -p tcp --dport ${port_number} -j ACCEPT
try on your machine
explain this command
Sometimes, however, you don't just want to block or unblock the port. Often you want to restrict access to a certain IP, so that it is only possible to access the database from a friendly web server, for example. The following command is used here:
firewall:iptables:ip-address:allow:address Allow incoming traffic from specific IP addresses.
$ sudo iptables -A INPUT -s ${ip_address} -j ACCEPT
try on your machine
explain this command
Instead of limiting access to a server via IP address, there is an even better method if the servers in question are in the same subnet. Often they are connected via a network interface. Here we can directly enable or block the interfaces.
firewall:iptables:interface:allow:name Allow incoming traffic from specific network interface.
$ sudo iptables -A INPUT -i ${interface_name} -j ACCEPT
try on your machine
explain this command
These are the three most important commands. If you want your server to be particularly secure, you can also block all incoming traffic first.
firewall:iptables:outgoing:block-all Block all incoming traffic.
$ sudo iptables -P INPUT DROP
try on your machine
explain this command
It is important that you do not lock yourself out. The port for SSH must always remain open, otherwise access can be relatively difficult. You may even have to reinstall the server if the hoster does not allow direct access. To unblock SSH, the protocol command can be used.
firewall:iptables:protocol:allow:name Allow incoming traffic from specific protocol.
$ sudo iptables -A INPUT -p ${protocol_name} -j ACCEPT
try on your machine
explain this command
If you are new to the topic of firewall rules, it is recommended that you first book a small, inexpensive server on which you can try things out before putting your fingers on productive systems. These are already available for a few euros per month and are often even charged per hour. Another tip is to connect a second terminal to the server so that you are still connected after completion, even if all connections have been prohibited.