How to Configure Firewall in Linux

A Firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall controls access to the resources of a network through a positive control model.

Accept – Allow the connection.

Drop – Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.

Reject – Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.

View Firewall

To view the current firewall configuration use the command.

# iptables -L

Firewall Configuration

Edit the iptables configuration file:

# vi /etc/sysconfig/iptables

-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Execute the command on shell.

Firewall Rules:

Rule 1: Block all IP address

To block all connections from the specific IP address, define the rule

# iptables -A INPUT -s -j DROP

Rule 2: Block network range of IP addresses

To block all of the IP addresses in specific network range then use the rule

# iptables -A INPUT -s -j DROP

Rule 3: Enable Specific Ports

In order to check the well known port chart, use the link

# iptables -A input -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
# iptables -A INPUT -s -p tcp -m tcp --dport 22 -j ACCEPT

Save Firewall Service

Save the iptable rules.

# /sbin/service iptables save

How to Verify & Block DDOS Attack in Linux


A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information. A distributed denial-of-service (DDoS) is where incoming traffic comes from more than one – and often thousands – of unique IP’s, either from botnets or via various types of reflection attack.

Verify DDOS Attack

Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

# netstat -an | grep :80 | sort

List all the unique IP addresses of the node that are sending SYN_REC connection status.

# netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

Use netstat command to calculate and count the number of connections each IP address makes to the server.

# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

A lot of outbound bruteforces lately have been running as “/usr/bin/host”
If you run a “ps faux” look for any processes by that name, or any suspicious PHP processes (or other suspect processes forked off of httpd or php).

# ps faux

If you find them, “lsof -p $PID” will help you hunt it down.

# lsof -p $PID

Block an IP address using IPTABLES

In order to block an IP on your Linux server you need to use iptables tools and netfilter firewall. To block IP address you need to type iptables command as follows:

Step 1: Add IP Address in Firewall

# iptables -A INPUT -s -j DROP

Step 2: Kill the apache sessions

# netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
# killall -KILL httpd

Step 3: Restart apache service

After killing the apache sessions restart the apache server.

For CentOS/RedHat/Fedora

# service httpd start

For Ubuntu/Debian/OpenSUSE

# /etc/init/d/apache2 restart

How to Configure Website Using Htaccess with Apache in Linux

Step 1: Prerequisite

Step 2: Create Directory

Create a directory in /var/www/html/ (where DocumentRoot of apache is pointed).

# mkdir /var/www/html/testfolder
# cd /var/www/html/testfolder

Step 3: Create .htaccess File

Now create a .htaccess file using the touch command and insert the following lines in it:

# touch .htaccess
# vi .htaccess
AuthUserFile /var/www/html/testfolder/.htpasswd
AuthGroupFile /www.null
AuthName "Authorization Required"
AuthType Basic

require user USER_NAME

Set the password by executing the htpasswd command for htaccess

# htpasswd -c /var/www/html/testfolder/.htpasswd USER_NAME

Step 4: Configuration in Apache

Edit the /etc/httpd/conf/httpd.conf file and add the lines:

# vi /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/testfolder">
AllowOverride AuthConfig

Step 5: Restart Apache Server

In the end restart the httpd service:

# service httpd restart

TCP Wrapper in linux


When a connection attempt is made to a TCP-wrapped service, the service first references the host’s access files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client is allowed to connect. In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting client and the requested service to /var/log/secure or /var/log/messages.

When you open a local system to access from remote systems, you must ensure that the following criteria are met:
• Open the local system only to systems you want to allow to access it.
• Allow each remote system to access only the data you want it to access.
• Allow each remote system to access data only in the appropriate manner


For example, the following hosts.allow file allows anyone to connect to the OpenSSH daemon (ssh, scp, sftp)
but allows telnet connections only from the same network as the local system and users on the 192.168. subnet:

# vim /etc/hosts.allow
sshd : ALL
in.telnet : LOCAL
in.telnet : 192.168.*

Examples For a more secure system, put the following line in hosts.deny to block all access:

# vim /etc/hosts.deny
ALL : ALL : echo '%c tried to connect to %d and was blocked' >> /var/log/tcpwrappers.log

This line prevents any client from connecting to any service, unless specifically permitted in hosts.allow.

When a client requests a connection with a local server, the hosts.allow and hosts.deny files are consulted in the following manner until a match is found:

  1. If the daemon/client pair matches a line in hosts.allow, access is granted.
  2. If the daemon/client pair matches a line in hosts.deny, access is denied.
  3. If there is no match in either the hosts.allow or hosts.deny files, access is