Hosting your own Killing Floor 2 Server - Part 5 - Configuring the firewall with iptables

In part 5 we'll be configuring a simple firewall for the Vultr VPS.

Video guide

  1. We want our iptables rules saved if a reboot occurs. Install the iptables-persistent package and remove the UFW firewall.
apt-get install -y iptables-persistent
apt-get remove -y ufw
  1. Configure the firewall.

First we need to remove all of the UFW chains. Make sure to drop into an sh shell for this to work properly.

iptables -F
for ufw in `iptables -L |grep ufw|awk '{ print $2 }'`; do iptables -X $ufw; done

Now it's time to configure the firewall rules that we want. This ruleset will do the following

  • Allow all traffic to flow out of the server (DNS, NTP, etc)
  • Allow any established connnections to flow into the server
  • Allow SSH in on port 22
  • Allow ports 80/443 in for Nginx and Let's Encrypt renewal
  • Allow ports 7777/27015/20560 for Killing Floor 2
  • Drop traffic connecting directly to port 8080 on the unsecured WebUI
  • Drop all other incoming traffic

iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -F

iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 7777 -j ACCEPT -m comment --comment "This is the main port the game will send connections over"
iptables -A INPUT -p udp --dport 27015 -j ACCEPT -m comment --comment "This port is used to communicate with the Steam Master Server"
iptables -A INPUT -p udp --dport 20560 -j ACCEPT -m comment --comment "Steam Port"
iptables -A INPUT -j DROP

Save the rules

netfilter-persistent save

Start the service

service netfilter-persistent start

Enable service at boot

invoke-rc.d netfilter-persistent save

View the current iptables rules

iptables -nvL

You are all done!

To connect to your server

  1. Open Killing Floor 2
  2. Press F3
  3. Type open or open your-ip-address