Iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables for Ethernet frames. (Read more on: wikipedia)
Configuration Iptables Firewall on CentOS
Setting up iptables
You can use the following procedure to verify that iptables has been installed and view the status of iptables. Open terminal and type the following command:
# iptables -V # yum info iptables
If the above message does not appear, you can type the following command to install iptables:
# yum -y install iptables
Understanding Firewall, At present here are total four chains:
- INPUT : The default chain is used for packets addressed to the system.
- OUTPUT : The default chain generating from system.
- FORWARD : The default chains is used when packets send through another interface.
- RH-Firewall-1-INPUT : The user-defined custom chain.
Target Meanings
- The target ACCEPT means allow packet.
- The target REJECT means to drop the packet and send an error message to remote host.
- The target DROP means drop the packet and do not send an error message to remote host or sending host.
The default iptables configuration on CentOS does not allow access to the HTTP (TCP PORT # 80) and HTTPS (TCP PORT # 443) ports used by Nginx web server. You can do step by step to configure:
Step 1: Flush all iptables rules
# iptables -F # iptables -X # iptables -t nat -F # iptables -t nat -X # iptables -t mangle -F # iptables -t mangle -X
Step 2: Set default rules
# iptables -P INPUT DROP # iptables -P FORWARD ACCEPT # iptables -P OUTPUT ACCEPT
Step 3: Allow access to HTTP (port 80) and HTTPS (port 443)
# iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A INPUT -p icmp -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
Turn on and save iptables
Type the following two commands to turn on firewall:
# chkconfig iptables on # service iptables save