How to configure the iptables firewall in Linux

Home > Search > How-to
  by

Both firewalld and iptables are common Linux firewalls. This tutorial is for iptables. If firewalld is enabled on your system, stop, mask, and disable firewalld, so that firewalld is permanently disabled, even after a reboot.

[root@server1 ~]# systemctl stop firewalld
[root@server1 ~]# systemctl mask firewalld
[root@server1 ~]# systemctl disable firewalld
[root@server1 ~]# systemctl status firewalld

 

Use apt-get or yum to install iptables.

[root@server1 ~]# apt-get install iptables-services
[root@server1 ~]# yum install iptables-services

 

Start and enable iptables, and ensure iptables is active and running.

[root@server1 ~]# systemctl start iptables
[root@server1 ~]# systemctl enable iptables
[root@server1 ~]# systemctl status iptables

 

The file that contains the configuration for iptables is located a /etc/sysconfig/iptables.

/etc/sysconfig/iptables

 


LISTING RULES

The iptables command with the -L or --list option can be used to display the rules. In this example, there are no rules.

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target  prot  opt  source  destination

Chain FORWARD (policy ACCEPT)
target  prot  opt  source  destination

Chain ACCEPT (policy ACCEPT)
target  prot  opt  source  destination

 

  • INPUT = Packets addressed to the host
  • OUTPUT = Packets created by the host
  • FORWARD = Packets neither addressed to the host nor created by the host. Forward is used to forward or route a packet to it's destination

 

In this example, there is one rule. The -v (verbose) option is used to identify that this rule is for the lo (loopback) interface.

[root@server1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT)
pkts bytes target  prot  opt  in out source   destination
0    0     ACCEPT  all   --   lo any anywhere anywhere

Chain FORWARD (policy ACCEPT)
pkts bytes target  prot  opt  in out source   destination

Chain ACCEPT (policy ACCEPT)
pkts bytes target  prot  opt  in out source   destination

 


FLUSHING RULES

Some iptables install with some rules already in place. The -F option can be used to flush all of the rules.

[root@server1 ~]# iptables -F

 


ADDING RULES

The -A or -- append option can be used to add a rule at the end of a chain. In this example, a rule is added to the end of the INPUT chain to accept input on the loopback interface.

[root@server1 ~]# iptables -A INPUT -i lo -j ACCEPT

 

The -I or --insert option can be used to add a rule at the beginning of a chain. In this example, a rule is added to the beginning of the INPUT chain to accept ICMP requests.

[root@server1 ~]# iptables -I INPUT -p icmp -j ACCEPT

 


DROP

The end of a chain should have a DROP rule, so that any connection not matching a rule in the chain is dropped. However, the OUTPUT chain may not need the drop rule, as this can cause issues with some protocols.

[root@server1 ~]# iptables -A INPUT -j DROP
[root@server1 ~]# iptables -A FORWARD -j DROP

 


SAVE CHANGES

The following command will save the changes made to iptables.

[root@server1 ~]# iptables-save > /etc/sysconfig/iptables

 


COMMON RULES

ICMP (ping, traceroute)

-A INPUT -p icmp -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #If we need to connect to another website using a Web browser on our Linux server (which might be a bad idea), we will need this rule.

 

22 / SSH

-A INPUT -p tcp --dport ssh --source 192.168.0.0/24 -j ACCEPT
-A INPUT -p tcp --sport ssh --source 192.168.0.0/24 -j ACCEPT

 

25, 110, 143, 587, 993, 995 / Email

-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

 

53 / DNS

-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT

 

67 / DHCP

-A INPUT -p tcp --dport 67 -j ACCEPT

 

80 / HTTP and 443 / HTTS

-A INPUT -p tcp --dport http -j ACCEPT
-A INPUT -p tcp --dport https -j ACCEPT

 

123 / NTP client

-A INPUT -p udp --dport 123 -j ACCEPT
-A OUTPUT -p udp --sport 123 -j ACCEPT

123 / NTP server

-A INPUT -p udp --sport 123 -j ACCEPT
-A OUTPUT -p udp --dport 123 -j ACCEPT

 

 137, 138, 139, 445 / Samba, NetBIOS

-A INPUT -p udp --dport 137 -j ACCEPT
-A INPUT -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

 

3128 / Proxy

-A INPUT -p tcp --dport 3128 -j ACCEPT

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments