How to Install and Configure Iptables Firewall on CentOS 6.3

This post covers the steps to install and configure iptables on linux CentOS 6.3 server. Iptables is a packet filtering firewall package in linux. It used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables interfaces to the Linux netfilter module to perform filtering of network packets.

1. To install iptables, simply run the following command :

[root@centos63 ~]# yum install iptables -y

2. Check iptables installed package and Version :

[root@centos63 ~]# rpm -qa | grep iptables
iptables-ipv6-1.4.7-5.1.el6_2.i686
iptables-1.4.7-5.1.el6_2.i686
[root@centos63 ~]# iptables --version
iptables v1.4.7

3. Check iptables status :

[root@centos63 ~]# /etc/init.d/iptables status
iptables: Firewall is not running.

or

[root@centos63 ~]# service iptables status
iptables: Firewall is not running.

4. Start and stop iptables :

See also  How to Install PostgreSQL 9.2 on CentOS 6.3

Start :

[root@centos63 ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]

Stop :

[root@centos63 ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

5. To set iptables start at boot :

[root@centos63 ~]# chkconfig iptables on

6. Display Default Iptables rules:

[root@centos63 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

7. Display current opened port :

[root@centos63 ~]# netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:46915               0.0.0.0:*                   LISTEN      1170/rpc.statd
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      1538/mysqld
tcp        0      0 127.0.0.1:3310              0.0.0.0:*                   LISTEN      1406/clamd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1152/rpcbind
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1390/sshd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1629/master
tcp        0      0 :::111                      :::*                        LISTEN      1152/rpcbind
tcp        0      0 :::59988                    :::*                        LISTEN      1170/rpc.statd
tcp        0      0 :::22                       :::*                        LISTEN      1390/sshd
tcp        0      0 ::1:25                      :::*                        LISTEN      1629/master
udp        0      0 0.0.0.0:59738               0.0.0.0:*                               1170/rpc.statd
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               1152/rpcbind
udp        0      0 192.168.1.54:123            0.0.0.0:*                               1398/ntpd
udp        0      0 127.0.0.1:123               0.0.0.0:*                               1398/ntpd
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               1398/ntpd
udp        0      0 0.0.0.0:903                 0.0.0.0:*                               1152/rpcbind
udp        0      0 0.0.0.0:922                 0.0.0.0:*                               1170/rpc.statd
udp        0      0 :::50667                    :::*                                    1170/rpc.statd
udp        0      0 :::111                      :::*                                    1152/rpcbind
udp        0      0 fe80::20c:29ff:fe1b:b39c:123 :::*                                    1398/ntpd
udp        0      0 ::1:123                     :::*                                    1398/ntpd
udp        0      0 :::123                      :::*                                    1398/ntpd
udp        0      0 :::903                      :::*                                    1152/rpcbind

8. Modify original Iptables configuration file :

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Please note that two rules has been added in the iptables firewall rules :

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

Comments

1 Comment

  • Avatar Michael McMillan says:

    Once you have done this, use the command:
    service iptables restart
    to apply the changes to your firewall settings. 

Leave a Reply

Your email address will not be published. Required fields are marked *