The firewall rules in Centos, commonly known as IPTables, are based on the use of IP addresses, protocols and ports and gives you the abilty to manage all connection activity in and out of your server. Rules are based on chains (INPUT, OUTPUT and FORWARD) and you maintain the abilty to ACCEPT, DROP, or REJECT activity based on your criteria. IPTables are the bedrock of the servers security so here we will look at replacing the pre-installed rule set to build your own.
First log in as root and remove all the current rules
# iptables --flush
Now as a temporary measure to ensure that we will have no issues when trying to connect to the server, we then determine that the server can accept all incoming connections
# iptables -P INPUT ACCEPT&&iptables -P FORWARD ACCEPT&&iptables -P OUTPUT ACCEPT
Now save the rules and restart the service
# service iptables save
# service iptables restart
Now we add a simple rule that enables unlimited traffic on the loopback (127.0.0.1) to provide access from the localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Next we can add an optional rule that allows a static IP address if using one
iptables -A INPUT -i lo -s 192.168.0.100 -d 192.168.0.100 -j ACCEPT
Now we enable both ICMP and STATE. ICMP is associated with diagnostics such as ping trace or route and network control and discovery, while STATE enables IPTables to remember the status of any connection in conjunction with the protocols using the source and destination IP address.
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -m state --state --state ESTABLISHED, RELATED -j ACCEPT
Having done this, the next task was to open both domain and SSH ports to facilitate DNS queries
and SSH, if youare using a different port for SSH remember to change this here.
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Finally, lock down and deny unwanted any access to the server by rewriting the current chain policy.
iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P OUTPUT ACCEPT
Save the new configuration from memory to file and restart the service
# service iptables save
# service iptables restart
Additional Ports
You can open additional ports in order to support features such as HTTPD,FTP, NTP, Mail etc by extending the current rule set providing each feature with a relevant input and output rule.
To allow HTTP on ports 80 and 143 you would use
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
To allow FTP on ports 20/21 you would use
iptables -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
To allow SMTP and POP3 on ports 25 and 110 you would use
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
Finally, to allow NTP on port 123 you would use
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
Remember to save the rules
# service iptables save
Allowing an IP Address
If you have a list of IP addresses that represent a series of welcome guests, the root user can add them to the existing firewall rules and whitelist them by typing
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
You can add as many addresses as you like but place the entries above any other rule
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -s 192.168.0.100 -j ACCEPT
-A INPUT -s 192.168.0.101 -j ACCEPT
Save and restart iptables
# service iptables save
# service iptables restart
Banning IP addresses
If you have a list of IP addresses that represent a series of unwanted guests, the root user can add them to existing firewall rules and effectively ban or blacklist them by typing
iptables -A INPUT -s 192.168.0.100 -j DROP
Again as above there is no limit to the number but they must appear above any other rule
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -s XXX.XXX.XXX.XXX -j DROP
-A INPUT -s XXX.XXX.XXX.XXX -j DROP
-A INPUT -s XXX.XXX.XXX.XXX -j DROP
Save and restart iptables
# service iptables save
# service iptables restart
So using this method you can deny unwanted visitors access to your server through the firewall and limit the size of your logfiles
Labels: Centos 6, RHEL set new Firewall IPTables rules