Setting up a host based firewall on your server to protect it from the nasties of the internet is a very simple step, that can easily backfire when you lock yourself out of SSH….
Below is a very simple script to setup basic firewall restrictions for a web server such as Apache or Nginx, allowing the below:
- Allow all traffic from the server to its local loopback interface – this is needed for lots of system and application level functions
- Allow ports 80 and 443 inbound access from all sources for your HTTP and HTTPS websites
- Allow all connections outbound from your server to the internet and allow the reply traffic from those connection – this is needed to connect to repositories, APIs, send email etc.
- Allow SSH inbound connections from the internet, but at the same time, blocking anyone trying to connect more than 4 times a minute in order to prevent easy SSH Brute Forcing