ElasticHosts Inbound Firewall / Packet Filter
Our Firewall / Packet filter is an excellent tool to employ in reducing your server’s inbound attack surface. The Firewall can be used to filter (reject/accept) network packets based on three dimensions:
Let's get started
From the Control Panel, click on your server’s cog symbol to gain access to the Firewall settings:
Default settings look like the below:
By default, the server is set to receive all* traffic on all ports. Ping traffic (ICMP) is always permitted. Your server’s Firewall can be adjusted on the fly, no need to power off your Virtual Machine or Container.
*A select number of outbound ports are restricted by default. Please raise a support ticket to have them lifted.
Closed ports: Inbound traffic arriving on Ports detailed under 'Closed ports' field will be dropped. These packets will not reach your server.
Open ports: Inbound traffic arriving on Ports detailed under 'Open ports' field will be accepted. These packets will reach your server.
Policy: The Policy radio button can be set either to Accept or Reject.
- Choosing “Accept” will allow everything except traffic defined in the field (1).
- Choosing “Reject” will drop everything except traffic defined in the field (2).
Technical summary: Hover over the circled question mark (4) for a technical summary.
Add this rule to the 'Open ports' field:
The above rule will allow the server to accept inbound traffic only on TCP/IP port 80 (HTTP). All other inbound traffic is dropped.
To save the above rule, scroll to the top of the page and click Save:
Back on the control panel, the server will now have a Firewall symbol.
To preview the server's Firewall settings, just hover over the Firewall symbol.
Now that you know how to change the Firewall settings, we will show you a few more examples for Firewall rules.
Accept inbound traffic on multiple ports
Let's extend the previous example to include both TCP/IP port 80 & 443 (HTTP/HTTPS). To achieve that, use this rule:
Restrict SSH connections
We can further restrict SSH connections to a single external IP address via the below rule:
tcp/80 tcp/443 tcp/220.127.116.11/22
Accept inbound traffic from an IP address block
It’s possible to use a CIDR mask to specify a block of IP addresses. If you do that, it's still mandatory to specify a port range as the last part of the rule. To catch all ports, use the range
The below rule would allow HTTP traffic from the entire 10.0.0.0/16 IP block on port 8080:
To select a range of ports, e.g. from 8080 to 8090, change the rule:
Block UDP traffic
The below rule will block UDP traffic, on all ports, but accept all other traffic :
Thanks for reading the tutorial!
If you have any question, let us know in the comments below.
Make sure to read all of our useful tutorials!
New to ElasticHosts?
Report a technical issue