How to configure Firewall service (iptables) in Linux

0
107

Most people think that having a firewall at the edge of their network will protect them from everything. This notion couldn’t be more wrong, but having a host based firewall helps increase your system’s and network’s security. By default, Red Hat comes with a built-in firewall called iptables , which is enabled by default as well. Managing the firewall is essential because many services depend on being able to interact with the outside world or the rest of your network. Because the firewall is set up by default, you don’t need to install it, but you should verify that the package is installed anyway.

Verify the installation:

[root@centos Desktop]# rpm -qa | grep iptables
iptables-1.4.21-16.el7.x86_64
iptables-services-1.4.21-16.el7.x86_64

if the service is not installed, install the iptables in the following way

[root@centos sysconfig]# yum install iptables-services
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package iptables-services.x86_64 0:1.4.21-16.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================
Package Arch Version Repository Size
============================================================================================
Installing:
iptables-services x86_64 1.4.21-16.el7 base 50 k
Transaction Summary
==========================================================================================
Install 1 Package

Total download size: 50 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
iptables-services-1.4.21-16.el7.x86_64.rpm | 50 kB 00:00:08
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : iptables-services-1.4.21-16.el7.x86_64 1/1
Verifying : iptables-services-1.4.21-16.el7.x86_64 1/1

Installed:
iptables-services.x86_64 0:1.4.21-16.el7

Complete!

start the iptables service and  set to start when the system boots up:
 

[root@centos Desktop]# systemctl start iptables
[root@centos Desktop]# systemctl start ip6tables
[root@centos Desktop]# systemctl enable iptables
[root@centos Desktop]# systemctl enable ip6tables
[root@centos Desktop]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2016-03-18 11:07:37 IST; 30s ago
Main PID: 8529 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/iptables.service

Mar 18 11:07:36 centos systemd[1]: Starting IPv4 firewall with iptables...
Mar 18 11:07:37 centos iptables.init[8529]: iptables: Applying firewall rule...]
Mar 18 11:07:37 centos systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
[root@centos Desktop]# systemctl status ip6tables
● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset:disabled)
Active: active (exited) since Fri 2016-03-18 11:07:41 IST; 47s ago
Main PID: 8554 (code=exited, status=0/SUCCESS)

Mar 18 11:07:41 centos systemd[1]: Starting IPv6 firewall with ip6tables...
Mar 18 11:07:41 centos ip6tables.init[8554]: ip6tables: Applying firewall ru...]
Mar 18 11:07:41 centos systemd[1]: Started IPv6 firewall with ip6tables.
Hint: Some lines were ellipsized, use -l to show in full.
[root@centos Desktop]#

The iptables command is actually the tool used to manage a networking subsystem within the Linux kernel called netfilter. This subsystem is used to filter packets at different levels and is what actually implements the firewall portion.
Configuring iptables
Syntax: iptables [options] [chain] -j [target]
Options:

-A     chain Appends to the chain
-D     chain Deletes from the chain
-I       chain Inserts into the chain
-L      chain Lists all rules
-p      proto Uses the protocol specified
-m      match Matches the extended expression
-s       address Defines a source address
-d      address Defines a destination address

Chains:

INPUT  
                 Packets coming into the system
OUTPUT               Packets leaving the system
FORWARD            Incoming packets that should be forwarded

Targets:

ACCEPT
                 Allows the packets
DROP                      Drops the packets and gives no response
REJECT                   Rejects the packets and sends a rejection response

First, note that these are not all the options; however, they are the most commonly used and are absolutely necessary to work with services on the system.
Before you start configuring rules, you can view any existing firewall rules with

[root@centos ~]# iptables -S 
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Let’s look at a basic iptables example to see how a rule is created.
Allow SSH connections over TCP port 22:

# iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Now check the firewall rules by using iptables -S or iptables -L command as follows

[root@centos Desktop]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Breaking down this rule, you can see that it is inserting this rule ( I );
 using the default Red Hat input chain ( INPUT );
 matching only TCP connections ( -m tcp );
 using the TCP protocol ( -p tcp );
 looking for incoming connections on port 22 ( –dport 22 );
and, if a packet is found, jumping ( -j ) to the acceptance chain ( ACCEPT ) to allow the packet.
In plain terms, this rule allows incoming TCP connections on port 22 of this system. After you work with a few rules, creating firewall rules will be come easier. I chose this rule for a particular reason: because it is a rule that you will use all the time.

Before you create any new rules, make a copy of your current working iptables rules and name it iptables.bak:

# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak

Let’s look at the default firewall rules that come with Red Hat:

[root@centos Desktop]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@centos Desktop]#

The last line of this file is COMMIT , which writes the rules into memory for use on the system.

  Read also:

How to configure networking in linux for beginners – I

How to configure networking in linux for beginners – II

HOW TO CONFIGURE DHCP IN LINUX


Comments

comments