Here on this article we’ll discuss some basic methods to quickly apply to the iptables service so that you can basically get things running up.
First of all, there are a couple of ways to edit the iptables infrastructure. One way is to use the /sbin/iptables binary file to append each line, or you can directly edit the /etc/sysconfig/iptables file.
There is basically no difference between the two methods, adding “THIS LINE” to the /etc/sysconfig/iptables file is the same thing by running the “/sbin/iptables THIS LINE” command. Just keep in mind that rules in iptables are respective, which means each rule is done in a chain order, the third line is only executed after the second line.
By default, when you install a CentOS system, the iptables will only allow connections to the 22nd port which is for obvious reasons : not to block your ssh connections. But if you change the ssh server port, or run httpd service, mail service or any other service, the default iptables rules will all incoming and outgoing connections.
The default settings a pretty much like this.
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Let’s say you install apache (or equivalent) on your server, then iptables will keep blocking 80 and 443 ports. To make them available, we have to add them to the ACCEPT chain before the REJECTION.
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
Let’s say you want to block out a specific IP address, for any port, then you can add such line,
-A INPUT -s 192.168.16.29 -j DROP
If you’d like to log the access attempts of this IP address, before the DROP line you can add,
-A INPUT -s 192.168.16.29 -m limit --limit 2/min -j LOG --log-prefix "STAY AWAY! "
This line will log any attempt from the IP address 192.168.16.29 but will limit the logs. It will log any similar connection type as only two lines per minute, this way your log file won’t fill out the whole hdd. Also the “STAY AWAY!” will be on the log line, so that you can easily grep the relevant line from the log file. Don’t confuse this as a message, the line “STAY AWAY!” will NOT be sent to the blocked IP or anything, it will just be logged.
At the end our iptables file will be like this
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.16.29 -m limit --limit 2/min -j LOG --log-prefix "STAY AWAY! " -A INPUT -s 192.168.16.29 -j DROP -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
You used:
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
but after this line need add the following string too:
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
Because you allowed NEW connections and my rule add ESTABLISHED,RELATED 😉
PS: my Unix/Linux blog:
http://linux-notes.org/