How to Install and Configure Linux Iptables Firewall in CentOS 5

Iptables is the most popular packet filtering firewall package in linux. It can be used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables interfaces to the Linux netfilter module to perform filtering of network packets.

Steps:

Install the iptables wihthout gui.

[root@server ~]# yum install iptables

Install the iptables with Gui by run below command.

[root@server ~]# yum install system-config-securitylevel-tui iptstate firstboot-tui iptables
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * addons: centos.maulvi.net
 * base: mirror.averse.net
 * epel: ftp.cuhk.edu.hk
 * extras: mirror.averse.net
 * updates: mirror.averse.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package firstboot-tui.i386 0:1.4.27.8-1.el5.centos set to be updated
---> Package iptables.i386 0:1.3.5-5.3.el5_4.1 set to be updated
---> Package iptstate.i386 0:1.4-2.el5 set to be updated
---> Package system-config-securitylevel-tui.i386 0:1.6.29.1-6.el5 set to be updated
--> Processing Dependency: iptables-ipv6 for package: system-config-securitylevel-tui
--> Running transaction check
---> Package iptables-ipv6.i386 0:1.3.5-5.3.el5_4.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================
 Package                              Arch      Version                      Repository
                                                                                        Size
=============================================================================================
Installing:
 firstboot-tui                        i386      1.4.27.8-1.el5.centos        base      189 k
 iptables                             i386      1.3.5-5.3.el5_4.1            base      233 k
 iptstate                             i386      1.4-2.el5                    base       27 k
 system-config-securitylevel-tui      i386      1.6.29.1-6.el5               base      254 k
Installing for dependencies:
 iptables-ipv6                        i386      1.3.5-5.3.el5_4.1            base      161 k

Transaction Summary
=============================================================================================
Install       5 Package(s)
Upgrade       0 Package(s)

Total download size: 864 k
Is this ok [y/N]: y
Downloading Packages:
(1/5): iptstate-1.4-2.el5.i386.rpm                                    |  27 kB     00:00
(2/5): iptables-ipv6-1.3.5-5.3.el5_4.1.i386.rpm                       | 161 kB     00:01
(3/5): firstboot-tui-1.4.27.8-1.el5.centos.i386.rpm                   | 189 kB     00:03
(4/5): iptables-1.3.5-5.3.el5_4.1.i386.rpm                            | 233 kB     00:03
(5/5): system-config-securitylevel-tui-1.6.29.1-6.el5.i386.rpm        | 254 kB     00:04
---------------------------------------------------------------------------------------------
Total                                                         60 kB/s | 864 kB     00:14
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : iptables                                                              1/5
  Installing     : iptables-ipv6                                                         2/5
  Installing     : system-config-securitylevel-tui                                       3/5
  Installing     : iptstate                                                              4/5
  Installing     : firstboot-tui                                                         5/5

Installed:
  firstboot-tui.i386 0:1.4.27.8-1.el5.centos
  iptables.i386 0:1.3.5-5.3.el5_4.1
  iptstate.i386 0:1.4-2.el5
  system-config-securitylevel-tui.i386 0:1.6.29.1-6.el5

Dependency Installed:
  iptables-ipv6.i386 0:1.3.5-5.3.el5_4.1

Complete!

Display Default Iptables rules:

[root@server ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

To start, stop, and restart iptables, you can run below commands:

[root@server ~]# service iptables start
[root@server ~]# service iptables stop
[root@server ~]# service iptables restart

To get iptables configured to start at boot, use the chkconfig command:

[root@server ~]# chkconfig iptables on

Check the iptables status whether iptables is running or not with the below command:

[root@server ~]# service iptables status
Firewall is stopped.

You can view the iptables manual by run below command:

[root@server ~]# man iptables

Add below line to enable certain port/programs to pass through firewall such as:
22 = SSH
80 = Web service
443 = SSL Web service
25 = Sendmail or postfix
3306 = MySQL service
10000 = Webmin service

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT

New configuration of the iptables should be like this.

[root@server ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

You can view the iptables status by run the below command to see which port are currently open.

[root@server ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10000
15   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

How to Reset the Directory Manager Password on RHEL 7 / CentOS 7
How to Reset the Directory Manager Password on RHEL 7 / CentOS 7

It is best practice to remember passwords, but because too many passwords, sometimes we forget. We are not encouraged to write the password on any paper or share the password...

How to Find Big Files Size on Linux RHEL/CentOS
How to Find Big Files Size on Linux RHEL/CentOS

As the linux administrator, sometimes we have to identify which files are most take much space in the linux server resulting in low free space. Low disk space can also...

Why Linux users should worry about malware and what they can do about it
Why Linux users should worry about malware and what they can do about it

Don’t drop your guard just because you’re running Linux. Preventing the spread of malware and/or dealing with the consequences of infection are a fact of life when using computers. If...

How to Reset Forgotten Root Password on Linux RHEL 7 / CentOS 7
How to Reset Forgotten Root Password on Linux RHEL 7 / CentOS 7

This short howto will explain the steps to reset a lost root password or to reset a forgotten root password on Linux RHEL 7 or CentOS 7. Basically, we will...

How to Update CentOS or Upgrade CentOS to the Latest Version
How to Update CentOS or Upgrade CentOS to the Latest Version

Recently, the latest version of CentOS 7.3 was released. All users of CentOS 7.0, 7.1 and 7.2 can upgrade their system to the most recent. This quick guide will explain...

How to Change your WordPress Username, Nickname and Display Name in MySQL
How to Change your WordPress Username, Nickname and Display Name in MySQL

After you create an account log in WordPress, you may want to change your WordPress username, as appropriate or due to security reason. However, you can not do this from...

How to Enable SSH Root Login on Ubuntu 16.04
How to Enable SSH Root Login on Ubuntu 16.04

As what we wrote in the previous article on how to allow SSH root on Ubuntu 14.04, after installing a fresh new copy of Ubuntu 16.04 LTS, we find that...

How to Change UUID of Linux Partition on CentOS 7
How to Change UUID of Linux Partition on CentOS 7

UUID (Universally Unique IDentifier) should be unique and it is used to identify storage devices on a linux system. If you cloned a virtual machine from vCenter, the metadata containing...

1 Trackback or Pingback

Leave a Reply

Your email address will not be published. Required fields are marked *