Basic iptables rules

UFW remains recommended for most HolyCloud VPS instances. This guide is for administrators who want fine control with iptables (or the legacy layer of nftables via iptables-nft). Read it after mastering SSH and having a fallback session (KVM console).

Prerequisites

• HolyCloud Linux VPS, root/sudo access
• Knowledge of exposed ports (SSH, 80, 443)
• Persistence package: iptables-persistent (Debian/Ubuntu)
• HolyCloud console accessible if a rule error occurs

Warning: a misordered DROP policy can cut SSH immediately. Keep a session open and test via console.

Step 1: current state and backup

sudo iptables -L -n -v
sudo iptables-save | sudo tee /root/iptables.backup.$(date +%F)

If UFW is active, disable it to avoid conflicts (advanced option):

sudo ufw disable

Step 2: default policy and loopback

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Step 3: allow SSH, HTTP, and HTTPS

Adapt SSH port:

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT

Limit SSH to one IP (example):

sudo iptables -I INPUT -p tcp -s 203.0.113.50 --dport 22 -m conntrack --ctstate NEW -j ACCEPT

Step 4: log rejected packets (optional)

sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-drop: " --log-level 4
sudo iptables -A INPUT -j DROP

The final explicit DROP rule is not always needed if INPUT policy is already DROP.

Step 5: persistence on reboot

sudo apt install -y iptables-persistent
sudo netfilter-persistent save

Rules are stored in /etc/iptables/rules.v4.

Emergency restore:

sudo iptables-restore < /root/iptables.backup.2026-06-03

Step 6: IPv6 (recommended)

sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP
sudo ip6tables -P OUTPUT ACCEPT
sudo ip6tables -A INPUT -i lo -j ACCEPT
sudo ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
sudo netfilter-persistent save

HolyCloud often provides routed IPv6: do not leave IPv6 open if you only secure IPv4.

Verification

sudo iptables -L INPUT -n -v --line-numbers
curl -I --connect-timeout 5 http://127.0.0.1
sudo conntrack -S 2>/dev/null || true

From outside: SSH, HTTP, and HTTPS should respond; a scan on a closed port (e.g. 3306) should time out.

HolyCloud help

• Lost SSH access: KVM console → iptables -P INPUT ACCEPT then restore backup
• UFW/iptables conflict: choose a single firewall manager
• Support: send iptables-save (no secrets) and list of services to publish