Iptables is the most popular packet filtering firewall package in linux. It can be used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables interfaces to the Linux netfilter module to perform filtering of network packets. In this post, i will show on how to install, configure and use Iptables Firewall on CentOS 6.2 server :
1. Check iptables installed package :
[root@centos62 ~]# rpm -qa | grep iptables iptables-1.4.7-4.el6.i686 iptables-ipv6-1.4.7-4.el6.i686
2. Check Iptables version :
[root@centos62 ~]# iptables --version iptables v1.4.7
3. If Iptables not installed, simply run this command to install :
[root@centos62 ~]# yum install iptables
4. Check Iptables status whether up or not :
[root@centos62 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination
If Iptables not running, it will return this message :
[root@centos62 ~]# service iptables status iptables: Firewall is not running.
5. Display Default Iptables rules:
[root@centos62 ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
6. To start, stop, and restart iptables, you can run below commands :
[root@centos62 ~]# service iptables start [root@centos62 ~]# service iptables stop [root@centos62 ~]# service iptables restart
7. To set iptables start at boot :
[root@centos62 ~]# chkconfig iptables on
8. Display current opened port :
[root@centos62 ~]# netstat -plunt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1102/sshd tcp 0 0 :::22 :::* LISTEN 1102/sshd
Note : Only ssh port has been opened on this server and listening port is 22.
9. Add below line to enable certain port/programs to pass through firewall such as:
80 = Web service / httpd service
3306 = MySQL service / mysqld service
10. View and modify original Iptables configuration file :
[root@centos62 ~]# vi /etc/sysconfig/iptables
Original Iptables configuration file
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
11. Modify the Iptables configuration file as below. Add port “80” and port ” 3306″ :
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
12. Start httpd and mysqld daemon service :
[root@centos62 ~]# service httpd start [root@centos62 ~]# service mysqld start
13. Print updated opened port :
[root@centos62 ~]# netstat -plunt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1102/sshd tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2482/mysqld tcp 0 0 :::80 :::* LISTEN 2345/httpd tcp 0 0 :::22 :::* LISTEN 1102/sshd