This post covers the steps to install and configure iptables on linux CentOS 6.3 server. Iptables is a packet filtering firewall package in linux. It used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables interfaces to the Linux netfilter module to perform filtering of network packets.
1. To install iptables, simply run the following command :
[root@centos63 ~]# yum install iptables -y
2. Check iptables installed package and Version :
[root@centos63 ~]# rpm -qa | grep iptables iptables-ipv6-1.4.7-5.1.el6_2.i686 iptables-1.4.7-5.1.el6_2.i686
[root@centos63 ~]# iptables --version iptables v1.4.7
3. Check iptables status :
[root@centos63 ~]# /etc/init.d/iptables status iptables: Firewall is not running.
or
[root@centos63 ~]# service iptables status iptables: Firewall is not running.
4. Start and stop iptables :
Start :
[root@centos63 ~]# service iptables start iptables: Applying firewall rules: [ OK ]
Stop :
[root@centos63 ~]# service iptables stop iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ]
5. To set iptables start at boot :
[root@centos63 ~]# chkconfig iptables on
6. Display Default Iptables rules:
[root@centos63 ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
7. Display current opened port :
[root@centos63 ~]# netstat -plunt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:46915 0.0.0.0:* LISTEN 1170/rpc.statd tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1538/mysqld tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 1406/clamd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1152/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1390/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1629/master tcp 0 0 :::111 :::* LISTEN 1152/rpcbind tcp 0 0 :::59988 :::* LISTEN 1170/rpc.statd tcp 0 0 :::22 :::* LISTEN 1390/sshd tcp 0 0 ::1:25 :::* LISTEN 1629/master udp 0 0 0.0.0.0:59738 0.0.0.0:* 1170/rpc.statd udp 0 0 0.0.0.0:111 0.0.0.0:* 1152/rpcbind udp 0 0 192.168.1.54:123 0.0.0.0:* 1398/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 1398/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 1398/ntpd udp 0 0 0.0.0.0:903 0.0.0.0:* 1152/rpcbind udp 0 0 0.0.0.0:922 0.0.0.0:* 1170/rpc.statd udp 0 0 :::50667 :::* 1170/rpc.statd udp 0 0 :::111 :::* 1152/rpcbind udp 0 0 fe80::20c:29ff:fe1b:b39c:123 :::* 1398/ntpd udp 0 0 ::1:123 :::* 1398/ntpd udp 0 0 :::123 :::* 1398/ntpd udp 0 0 :::903 :::* 1152/rpcbind
8. Modify original Iptables configuration file :
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Please note that two rules has been added in the iptables firewall rules :
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
1 Comment
Once you have done this, use the command:
service iptables restart
to apply the changes to your firewall settings.