This brief tutorial is going to show you how to setup or configure a simple yet effective firewall rules for your systems. These rules also apply to Linux systems using iptables firewall. iptables is a simple firewall installed on most Linux systems by default. It’s used to allow or deny network communications in or out of a system.
The way iptables or any firewall work is simple. One rule per line. When a communication is opened to the system, iptables or the firewall in place checks its rules, when the traffic matches a particular rule, that rule is applied. By default, if a traffic doesn’t match any rule, it’s automatically denied by most firewalls.
Basics
- Iptables rules can be changed on the fly by using the iptables binary.
- The rules that are set using iptables command are in memory only and will vanish when the daemon is restarted.
- The firewall rules added on the fly can be saved to the configuration file easily in CentOS/RHEL with the command service iptables save
- This is no need to edit the configuration file unless you really want to.
- You can completely lock down all inbound, outbound and forwarded traffic if needed. It generally just causes a lot more administration and usually isn’t necessary.
Basic Commands
- iptables -F delete all firewall rules from memory.
- iptables -L List current firewall policies
- service iptables save (CentOS/RHEL) save current rules in memory to configuration file (/etc/sysconfig/iptables)
- service iptables restart restart iptables daemon and load firewall rules from configuration file.
- iptables-save > /root/firwallrules.fw save firewall rules in memory to a specific configuration file.
- iptables-restore > /root/firwallrules.fw restore firewall rules from a specific configuration file to memory.
Backup Current Iptables Configuration to File
Before you begin, it is recommended to backup your current firewall rules.
Example:
# iptables-save > /home/user1/iptable-rules-20130308.fw
Remove All Current Rules
# iptables -F
Set Policy Chains Default Rule
# iptables -P INPUT DROP
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
Allow Loopback
# iptables -A INPUT -i lo -j ACCEPT
Allow All Established and Related Connections
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow ICMP “ping” from LAN (TCP Port 22)
# iptables -A INPUT -p icmp -s 192.168.0.0/24 --icmp-type echo-request -j ACCEPT
Allow SSH from LAN (TCP Port 22)
# iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
Allow RSYNC from LAN (TCP Port 873)
# iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
Allow HTTP (TCP Port 80)
# iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
Allow HTTPS (TCP Port 443)
# iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
Allow MySQL Server Access from LAN (TCP Port 3306)
# iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
Allow Nagios NRPE Client Access from Nagios Server (TCP Port 5666)
# iptables -A INPUT -s 192.168.0.100 -p tcp -m tcp --dport 5666 -m state --state NEW,ESTABLISHED -j ACCEPT
Save Current Rules in Memory to Configuration File
# service iptables save
Restart Service
# service iptables restart
Restore Iptables Rules from Backup File
If you made a backup file or pulling a copy of rules from another system and wish to restore/replace the rules then use the following command.
# iptables-restore < /path/to/somewhere/filename
Example:
# iptables-restore < /home/user1/iptable-rules-20130308.fw
Restart Service
# service iptables restart