How to Install, Configure and Use Linux Iptables Firewall on CentOS 6.2

Iptables is the most popular packet filtering firewall package in linux. It can be used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables interfaces to the Linux netfilter module to perform filtering of network packets. In this post, i will show on how to install, configure and use Iptables Firewall on CentOS 6.2 server :

1. Check iptables installed package :

[root@centos62 ~]# rpm -qa | grep iptables
iptables-1.4.7-4.el6.i686
iptables-ipv6-1.4.7-4.el6.i686

2. Check Iptables version :

[root@centos62 ~]# iptables --version
iptables v1.4.7

3. If Iptables not installed, simply run this command to install :

[root@centos62 ~]# yum install iptables

4. Check Iptables status whether up or not :

[root@centos62 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

If Iptables not running, it will return this message :

[root@centos62 ~]# service iptables status
iptables: Firewall is not running.

5. Display Default Iptables rules:

[root@centos62 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

6. To start, stop, and restart iptables, you can run below commands :

[root@centos62 ~]# service iptables start
[root@centos62 ~]# service iptables stop
[root@centos62 ~]# service iptables restart

7. To set iptables start at boot :

[root@centos62 ~]# chkconfig iptables on

8. Display current opened port :

[root@centos62 ~]# netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1102/sshd   
tcp        0      0 :::22                       :::*                        LISTEN      1102/sshd

Note : Only ssh port has been opened on this server and listening port is 22.

9. Add below line to enable certain port/programs to pass through firewall such as:

80 = Web service / httpd service
3306 = MySQL service / mysqld service

10. View and modify original Iptables configuration file :

[root@centos62 ~]# vi /etc/sysconfig/iptables

Original Iptables configuration file

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

11. Modify the Iptables configuration file as below. Add port “80” and port ” 3306″ :

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

12. Start httpd and mysqld daemon service :

[root@centos62 ~]# service httpd start
[root@centos62 ~]# service mysqld start

13. Print updated opened port :

[root@centos62 ~]# netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1102/sshd   
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      2482/mysqld 
tcp        0      0 :::80                       :::*                        LISTEN      2345/httpd  
tcp        0      0 :::22                       :::*                        LISTEN      1102/sshd

Related

Recent

Meta

Comments (0)