Iptables is a widely used firewall package in Linux, renowned for its packet filtering capabilities. It’s a powerful tool that allows you to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables interfaces with the Linux netfilter module to perform network packet filtering. This tutorial will guide you through the process of installing and configuring Iptables on CentOS 5.
For a more in-depth understanding of the best web servers, you can visit our pages on best web servers, Apache, Nginx, and LiteSpeed.
Step 1: Installing Iptables
The first step in setting up Iptables is to install it. You can install Iptables without a graphical user interface (GUI) by running the following command:
[root@server ~]# yum install iptables
If you prefer to use a GUI, you can install Iptables with a GUI by running the command below:
[root@server ~]# yum install system-config-securitylevel-tui iptstate firstboot-tui iptables
This command will install several packages, including firstboot-tui, iptables, iptstate, and system-config-securitylevel-tui. You may also see a dependency for iptables-ipv6 being installed.
Example:
[root@server ~]# yum install system-config-securitylevel-tui iptstate firstboot-tui iptables Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * addons: centos.maulvi.net * base: mirror.averse.net * epel: ftp.cuhk.edu.hk * extras: mirror.averse.net * updates: mirror.averse.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package firstboot-tui.i386 0:1.4.27.8-1.el5.centos set to be updated ---> Package iptables.i386 0:1.3.5-5.3.el5_4.1 set to be updated ---> Package iptstate.i386 0:1.4-2.el5 set to be updated ---> Package system-config-securitylevel-tui.i386 0:1.6.29.1-6.el5 set to be updated --> Processing Dependency: iptables-ipv6 for package: system-config-securitylevel-tui --> Running transaction check ---> Package iptables-ipv6.i386 0:1.3.5-5.3.el5_4.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================================= Package Arch Version Repository Size ============================================================================================= Installing: firstboot-tui i386 1.4.27.8-1.el5.centos base 189 k iptables i386 1.3.5-5.3.el5_4.1 base 233 k iptstate i386 1.4-2.el5 base 27 k system-config-securitylevel-tui i386 1.6.29.1-6.el5 base 254 k Installing for dependencies: iptables-ipv6 i386 1.3.5-5.3.el5_4.1 base 161 k Transaction Summary ============================================================================================= Install 5 Package(s) Upgrade 0 Package(s) Total download size: 864 k Is this ok [y/N]: y Downloading Packages: (1/5): iptstate-1.4-2.el5.i386.rpm | 27 kB 00:00 (2/5): iptables-ipv6-1.3.5-5.3.el5_4.1.i386.rpm | 161 kB 00:01 (3/5): firstboot-tui-1.4.27.8-1.el5.centos.i386.rpm | 189 kB 00:03 (4/5): iptables-1.3.5-5.3.el5_4.1.i386.rpm | 233 kB 00:03 (5/5): system-config-securitylevel-tui-1.6.29.1-6.el5.i386.rpm | 254 kB 00:04 --------------------------------------------------------------------------------------------- Total 60 kB/s | 864 kB 00:14 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : iptables 1/5 Installing : iptables-ipv6 2/5 Installing : system-config-securitylevel-tui 3/5 Installing : iptstate 4/5 Installing : firstboot-tui 5/5 Installed: firstboot-tui.i386 0:1.4.27.8-1.el5.centos iptables.i386 0:1.3.5-5.3.el5_4.1 iptstate.i386 0:1.4-2.el5 system-config-securitylevel-tui.i386 0:1.6.29.1-6.el5 Dependency Installed: iptables-ipv6.i386 0:1.3.5-5.3.el5_4.1 Complete!
Display Default Iptables rules:
[root@server ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Step 2: Displaying Default Iptables Rules
Once Iptables is installed, you can display the default rules by running the following command:
[root@server ~]# cat /etc/sysconfig/iptables
This command will display the current configuration of your Iptables firewall.
Step 3: Starting, Stopping, and Restarting Iptables
You can start, stop, and restart Iptables using the following commands:
[root@server ~]# service iptables start [root@server ~]# service iptables stop [root@server ~]# service iptables restart
To configure Iptables to start at boot, use the chkconfig command:
[root@server ~]# chkconfig iptables on
You can check the status of Iptables to see if it is running or not with the command below:
[root@server ~]# service iptables status
Step 4: Viewing the Iptables Manual
You can view the Iptables manual by running the following command:
[root@server ~]# man iptables
This command will display the manual for Iptables, providing you with detailed information about its usage and options.
Step 5: Configuring Iptables to Allow Certain Ports/Programs
You can configure Iptables to allow certain ports or programs to pass through the firewall. For example, you might want to allow the following:
- 22 for SSH
- 80 for web service
- 443 for SSL web service
- 25 for Sendmail or Postfix
- 3306 for MySQL service
- 10000 for Webmin service
You can do this by addingthe following lines to your Iptables configuration:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
After adding these lines, your new Iptables configuration should look like this:
[root@server ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Step 6: Checking the Status of Iptables
You can check the status of Iptables to see which ports are currently open by running the following command:
[root@server ~]# service iptables status
This command will display the current status of your Iptables firewall, including which ports are open.
Example:
[root@server ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000 15 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Commands Mentioned
- yum install iptables – Installs Iptables without a GUI.
- yum install system-config-securitylevel-tui iptstate firstboot-tui iptables – Installs Iptables with a GUI.
- cat /etc/sysconfig/iptables – Displays the current Iptables configuration.
- service iptables start/stop/restart – Starts, stops, or restarts Iptables.
- chkconfig iptables on – Configures Iptables to start at boot.
- service iptables status – Checks the status of Iptables.
- man iptables – Displays the Iptables manual.
Conclusion
Iptables is a powerful tool for managing packet filtering and firewall settings in Linux. By following this tutorial, you should now be able to install and configure Iptables on CentOS 5, understand how to view and modify the default Iptables rules, and know how to start, stop, and restart Iptables.
Remember, it’s crucial to configure your firewall settings correctly to ensure the security of your server. For more information on server hosting, you can visit our pages on dedicated server, VPS server, cloud hosting, and shared hosting.
If you have any questions or need further clarification, feel free to refer to the FAQ section or leave a comment. Happy hosting!
FAQ
-
What is Iptables in Linux?
Iptables is a popular packet filtering firewall package in Linux. It allows you to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.
-
How do I install Iptables on CentOS 5?
You can install Iptables on CentOS 5 by running the command ‘yum install iptables’ for a non-GUI installation, or ‘yum install system-config-securitylevel-tui iptstate firstboot-tui iptables’ for a GUI installation.
-
How do I view the default Iptables rules?
You can view the default Iptables rules by running the command ‘cat /etc/sysconfig/iptables’.
-
How do I start, stop, and restart Iptables?
You can start, stop, and restart Iptables by running the commands ‘service iptables start’, ‘service iptables stop’, and ‘service iptables restart’ respectively.
-
How do I check the status of Iptables?
Youcan check the status of Iptables by running the command ‘service iptables status’. This command will display the current status of your Iptables firewall, including which ports are open.