Iptables is the most popular packet filtering firewall package in linux. It can be used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables interfaces to the Linux netfilter module to perform filtering of network packets.
Steps:
Install the iptables wihthout gui.
[root@server ~]# yum install iptablesInstall the iptables with Gui by run below command.
[root@server ~]# yum install system-config-securitylevel-tui iptstate firstboot-tui iptables
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* addons: centos.maulvi.net
* base: mirror.averse.net
* epel: ftp.cuhk.edu.hk
* extras: mirror.averse.net
* updates: mirror.averse.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package firstboot-tui.i386 0:1.4.27.8-1.el5.centos set to be updated
---> Package iptables.i386 0:1.3.5-5.3.el5_4.1 set to be updated
---> Package iptstate.i386 0:1.4-2.el5 set to be updated
---> Package system-config-securitylevel-tui.i386 0:1.6.29.1-6.el5 set to be updated
--> Processing Dependency: iptables-ipv6 for package: system-config-securitylevel-tui
--> Running transaction check
---> Package iptables-ipv6.i386 0:1.3.5-5.3.el5_4.1 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================
Package Arch Version Repository
Size
=============================================================================================
Installing:
firstboot-tui i386 1.4.27.8-1.el5.centos base 189 k
iptables i386 1.3.5-5.3.el5_4.1 base 233 k
iptstate i386 1.4-2.el5 base 27 k
system-config-securitylevel-tui i386 1.6.29.1-6.el5 base 254 k
Installing for dependencies:
iptables-ipv6 i386 1.3.5-5.3.el5_4.1 base 161 k
Transaction Summary
=============================================================================================
Install 5 Package(s)
Upgrade 0 Package(s)
Total download size: 864 k
Is this ok [y/N]: y
Downloading Packages:
(1/5): iptstate-1.4-2.el5.i386.rpm | 27 kB 00:00
(2/5): iptables-ipv6-1.3.5-5.3.el5_4.1.i386.rpm | 161 kB 00:01
(3/5): firstboot-tui-1.4.27.8-1.el5.centos.i386.rpm | 189 kB 00:03
(4/5): iptables-1.3.5-5.3.el5_4.1.i386.rpm | 233 kB 00:03
(5/5): system-config-securitylevel-tui-1.6.29.1-6.el5.i386.rpm | 254 kB 00:04
---------------------------------------------------------------------------------------------
Total 60 kB/s | 864 kB 00:14
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : iptables 1/5
Installing : iptables-ipv6 2/5
Installing : system-config-securitylevel-tui 3/5
Installing : iptstate 4/5
Installing : firstboot-tui 5/5
Installed:
firstboot-tui.i386 0:1.4.27.8-1.el5.centos
iptables.i386 0:1.3.5-5.3.el5_4.1
iptstate.i386 0:1.4-2.el5
system-config-securitylevel-tui.i386 0:1.6.29.1-6.el5
Dependency Installed:
iptables-ipv6.i386 0:1.3.5-5.3.el5_4.1
Complete!Display Default Iptables rules:
[root@server ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMITTo start, stop, and restart iptables, you can run below commands:
[root@server ~]# service iptables start
[root@server ~]# service iptables stop
[root@server ~]# service iptables restartTo get iptables configured to start at boot, use the chkconfig command:
[root@server ~]# chkconfig iptables onCheck the iptables status whether iptables is running or not with the below command:
[root@server ~]# service iptables status
Firewall is stopped.You can view the iptables manual by run below command:
[root@server ~]# man iptablesAdd below line to enable certain port/programs to pass through firewall such as:
22 = SSH
80 = Web service
443 = SSL Web service
25 = Sendmail or postfix
3306 = MySQL service
10000 = Webmin service
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPTNew configuration of the iptables should be like this.
[root@server ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMITYou can view the iptables status by run the below command to see which port are currently open.
[root@server ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000
15 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited