Pasifika Logo Back to Services

Linux Firewall Setup Guide

Secure Your Bitcoin Node with Linux Firewall Configuration

Security for Decentralized Infrastructure

Part of Pasifika.xyz Web3 Tech Hub

8333
Bitcoin P2P Port
22
SSH Port
3600s
Default Ban Time
IPv4/6
Dual Stack Support

🛡️ Overview

This guide provides step-by-step instructions for implementing Linux OS firewalls on Bitcoin nodes in your Decentralized Physical Infrastructure Network (DePIN) system. A proper firewall configuration is essential for securing your Bitcoin node against unauthorized access while maintaining network connectivity.

📋
Prerequisites
  • Ubuntu 20.04+ or CentOS 8+ Linux distribution
  • Root or sudo access
  • Bitcoin Core node installed and configured
  • Basic understanding of Linux command line
Moderate Difficulty
🔒
Security Benefits
  • Protection from unauthorized access
  • Mitigation of DDoS attacks
  • Defense against brute force attempts
  • Controlled access to Bitcoin node services
Critical Security

🔧 Step 1: System Preparation

Before configuring your firewall, ensure your system is up-to-date and has all necessary packages installed.

1.1 Update System

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y

# CentOS/RHEL
sudo yum update -y

1.2 Install Required Tools

# Ubuntu/Debian
sudo apt install iptables-persistent netfilter-persistent fail2ban -y

# CentOS/RHEL
sudo yum install iptables-services fail2ban -y

🔥 Step 2: Basic Firewall Configuration

Start with basic iptables configuration to set up the foundation for your firewall rules.

2.1 Clear Existing Rules

# Flush all existing rules
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X

2.2 Set Default Policies

# Set restrictive defaults
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

2.3 Allow Loopback Traffic

# Allow local loopback (essential for system operation)
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

⚠️ Caution

Setting default policies to DROP will block all incoming connections not explicitly allowed. Make sure you have a way to access your system if something goes wrong, such as a console connection or out-of-band management.

₿ Step 3: Bitcoin Node Specific Rules

Configure firewall rules specifically for Bitcoin node operations.

🌐
Bitcoin P2P Network Traffic
Allow Bitcoin network communication for peer connections.
# Bitcoin mainnet P2P port (8333)
sudo iptables -A INPUT -p tcp --dport 8333 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 8333 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Bitcoin testnet P2P port (18333) - if using testnet
sudo iptables -A INPUT -p tcp --dport 18333 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 18333 -m conntrack --ctstate ESTABLISHED -j ACCEPT
🔐
Bitcoin RPC (Local Access)
Restrict Bitcoin RPC port to localhost and specific trusted IPs.
# Bitcoin RPC port (8332) - restrict to localhost and specific IPs
sudo iptables -A INPUT -p tcp --dport 8332 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8332 -s 192.168.1.0/24 -j ACCEPT  # Adjust to your network

3.3 Outbound Bitcoin Connections

# Allow outbound connections to other Bitcoin nodes
sudo iptables -A OUTPUT -p tcp --dport 8333 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 8333 -m conntrack --ctstate ESTABLISHED -j ACCEPT

🔑 Step 4: System Administration Access

Configure secure administrative access to your Bitcoin node.

4.1 SSH Access (Secure Management)

# Replace YOUR_ADMIN_IP with your actual admin IP addresses
# Multiple IPs can be added with separate rules
sudo iptables -A INPUT -p tcp --dport 22 -s YOUR_ADMIN_IP -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Example for MEIDECC admin network
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.100.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

4.2 ICMP (Ping) - Limited

# Allow ping for network diagnostics (rate limited)
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

💡 Best Practice

Always restrict SSH access to specific trusted IP addresses whenever possible. If you need remote access from various locations, consider setting up a VPN and only allowing SSH access through the VPN.

🏝️ Step 5: Pacific Islands Specific Optimizations

Special considerations for Bitcoin nodes operating in Pacific Island environments with potentially unstable network conditions.

5.1 Connection Tracking for Unstable Networks

# Increase connection tracking timeouts for unstable connections
echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 7200' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120' >> /etc/sysctl.conf
sudo sysctl -p

5.2 Rate Limiting for Bandwidth Conservation

# Limit new connections per minute (adjust based on your needs)
sudo iptables -A INPUT -p tcp --dport 8333 -m recent --set --name bitcoin_connect
sudo iptables -A INPUT -p tcp --dport 8333 -m recent --update --seconds 60 --hitcount 10 --name bitcoin_connect -j DROP

Why This Matters

Pacific Island networks often face challenges with limited bandwidth, higher latency, and occasional connectivity disruptions. These optimizations help your Bitcoin node maintain stable connections despite these challenges, ensuring your node remains a reliable part of the Bitcoin network.

🛑 Step 6: DDoS Protection

Implement protection against common denial-of-service attack methods.

🌊
SYN Flood Protection
Prevent SYN flood attacks that can overwhelm your server.
# Protect against SYN flood attacks
sudo iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn -j DROP
Important Security
🔍
Port Scan Protection
Detect and block port scanning attempts.
# Detect and block port scanning attempts
sudo iptables -N PORTSCAN
sudo iptables -A PORTSCAN -m limit --limit 1/s --limit-burst 4 -j LOG --log-prefix "Port Scan: "
sudo iptables -A PORTSCAN -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j PORTSCAN
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PORTSCAN
sudo iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PORTSCAN
Baseline Security

👮 Step 7: Fail2Ban Configuration

Set up Fail2Ban to protect against brute force attacks on SSH and Bitcoin RPC.

7.1 Configure Fail2Ban for SSH

Create /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

[bitcoin-rpc]
enabled = true
port = 8332
filter = bitcoin-rpc
logpath = /home/bitcoin/.bitcoin/debug.log
maxretry = 5
bantime = 7200

7.2 Create Bitcoin RPC Filter

Create /etc/fail2ban/filter.d/bitcoin-rpc.conf:

[Definition]
failregex = ^.*ThreadRPCServer.*Error.*.*$
ignoreregex =

7.3 Start Fail2Ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban

📊 Step 8: Logging and Monitoring

Set up logging to monitor firewall activity and potential security incidents.

8.1 Enable Firewall Logging for Suspicious Activity

# Log dropped packets (limited to prevent log spam)
sudo iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

8.2 Create Log Monitoring Script

Create /usr/local/bin/firewall-monitor.sh:

#!/bin/bash
# Simple firewall monitoring script for Pasifika DePIN nodes

LOG_FILE="/var/log/firewall-monitor.log"
DATE=$(date '+%Y-%m-%d %H:%M:%S')

# Check for dropped connections
DROPPED_COUNT=$(grep "IPTables-Dropped" /var/log/syslog | wc -l)

# Check Bitcoin node connectivity
BITCOIN_CONNECTIONS=$(bitcoin-cli getconnectioncount 2>/dev/null || echo "ERROR")

# Log status
echo "[$DATE] Dropped packets: $DROPPED_COUNT | Bitcoin connections: $BITCOIN_CONNECTIONS" >> $LOG_FILE

# Alert if no Bitcoin connections (adjust path as needed)
if [ "$BITCOIN_CONNECTIONS" = "0" ] || [ "$BITCOIN_CONNECTIONS" = "ERROR" ]; then
    echo "[$DATE] ALERT: Bitcoin node connectivity issue" >> $LOG_FILE
fi

Make it executable and add to cron:

sudo chmod +x /usr/local/bin/firewall-monitor.sh
echo "*/5 * * * * /usr/local/bin/firewall-monitor.sh" | sudo crontab -

💾 Step 9: Save and Persist Rules

Ensure your firewall rules persist across system reboots.

9.1 Save Current Rules

# Ubuntu/Debian
sudo iptables-save > /etc/iptables/rules.v4

# CentOS/RHEL
sudo service iptables save

9.2 Enable Auto-Start

# Ubuntu/Debian
sudo systemctl enable netfilter-persistent

# CentOS/RHEL
sudo systemctl enable iptables

✅ Step 10: Testing and Validation

Verify that your firewall configuration is working correctly.

10.1 Test Bitcoin Node Connectivity

# Check if Bitcoin node can connect to peers
bitcoin-cli getconnectioncount

# Check peer information
bitcoin-cli getpeerinfo | grep addr

10.2 Test Firewall Rules

# View current rules
sudo iptables -L -n -v

10.3 Monitor Logs

# Watch firewall logs
sudo tail -f /var/log/syslog | grep IPTables

# Watch fail2ban logs
sudo tail -f /var/log/fail2ban.log

🔄 Maintenance and Updates

Regular maintenance tasks to keep your firewall effective.

📅
Regular Tasks
  1. Weekly: Review firewall logs for unusual activity
  2. Monthly: Update fail2ban rules and test connectivity
  3. Quarterly: Review and adjust rate limiting based on network conditions
🚨
Emergency Procedures
If locked out due to firewall misconfiguration:
# Emergency rule flush (requires console access)
sudo iptables -F
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

🔧 Troubleshooting

Solutions for common issues with firewall configuration.

Common Issues

Bitcoin node can't connect to peers
  • Check if port 8333 is properly opened
  • Verify outbound rules allow Bitcoin traffic
  • Check if your ISP blocks Bitcoin ports
Can't access via SSH
  • Verify SSH rules include your IP address
  • Check fail2ban hasn't banned your IP: sudo fail2ban-client status sshd
  • Verify SSH daemon is running: sudo systemctl status sshd

Useful Commands

# Check rule hit counts
sudo iptables -L -n -v

# Reset hit counters
sudo iptables -Z

# Temporary rule addition (for testing)
sudo iptables -I INPUT 1 -s YOUR_IP -j ACCEPT

# Remove specific rule by line number
sudo iptables -D INPUT [line_number]

🛡️ Security Best Practices

Follow these best practices to maintain a secure Bitcoin node environment:

🔑
Principle of Least Privilege
Only open necessary ports and grant minimum required permissions. Block everything by default and only allow specific services.
🔄
Regular Updates
Keep your system, Bitcoin Core, and security tools updated with the latest security patches and updates.
👁️
Monitor Actively
Regularly check logs for suspicious activities or unauthorized access attempts.
💾
Backup Configurations
Keep backups of working firewall configurations before making changes.

🏁 Conclusion

This firewall setup provides a robust security foundation for Bitcoin nodes while accounting for the unique challenges of Pacific Island connectivity. The configuration balances security with the need for reliable Bitcoin network participation.

Organizations implementing Bitcoin infrastructure should adjust IP ranges and monitoring parameters according to their specific network topology and requirements.

💪 Community Impact

Properly secured Bitcoin nodes not only protect individual infrastructure but also contribute to the overall security and health of the Bitcoin network. This is especially important for emerging technology hubs in the Pacific Islands region.

Get Help With Your Firewall Setup Back to Services

🔒 Security: The foundation of reliable decentralized infrastructure

Secure your node • Protect the network • Contribute to decentralization

Firewall configuration updated as of July 2025

Presented by Pasifika.xyz - Decentralized Infrastructure for Pacific Islands

Building The Future with Web3 - Empowering Pacific Communities