Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a hardware firewall. Though prices are always falling, in most cases you can create a comparable unit on your Linux dedicated server for almost no additional cost.

Creating a software firewall requires many steps. Following the explanations of this section and the provided sample configuration file, you should be able to complete the deployment of the firewall relatively quickly.

A software firewall offers the following advantages:
  • Better integration with the Linux kernel for improved speed and reliability.

  • Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.

  • Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.

  • System logging that provides the option of adjusting the level of detail of the reporting.

  • Better network address translation.

  • Support for transparent integration with such Web proxy programs as Squid.

  • A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.

  • The following section shows you how to set up a custom firewall to secure access to your dedicated server. These how-to steps are explained in details and an example configuration ile is provided so that you can customize the firewall to your particular business needs.

  • Automatic start up the firewall after a server reboot (/etc/rc.local)

  • Reject all spoofing IP addresses and those on your IP ban list.

  • Open only the following ports for major components of the server.

  • A comprehensive list of commonly known ports.

  • How to start and stop a firewall manually for testing controlled access to your server.