Will see Install and managing iptables in Linux/Unix
IPTables is a firewall which comes by default with Linux/ Unix and it’s holds a bunch of rules as a chain. Below are some default chains.
INPUT – Incoming network traffic to this machine from outside.
FORWARD – Network traffic going to/ from machine to another side of this firewall.
OUTPUT – Outgoing network traffic from this machine
Rules are kept in a chain with below-mentioned action in order to do action like below.
ACCEPT – To allow incoming traffic from the outside
DROP – Will drop the packets with no reply to sender
REJECT – Packet will be dropped and a message sent to the sender with an appropriate message.
Check whether the iptables package installed or not using the command.
[root@server ~]# rpm -qa | grep iptables iptables-devel-1.4.21-17.el7.x86_64 iptables-1.4.21-17.el7.x86_64 iptables-services-1.4.21-17.el7.x86_64
If the package not installed use yum to install it like below.
Note: yum package manager should be installed to use it.
[root@server ~]# yum install iptable*
Now enable the iptables permanently in this run level
[root@server ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
Command to start and check the status of the iptables:
[root@server ~]# systemctl start iptables [root@server ~]# systemctl status iptables ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled) Active: active (exited) since Sun 2017-10-29 09:20:21 IST; 5s ago Process: 2331 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Main PID: 2331 (code=exited, status=0/SUCCESS) Oct 29 09:20:21 server systemd[1]: Starting IPv4 firewall with ipta.... Oct 29 09:20:21 server iptables.init[2331]: iptables: Applying firew... Oct 29 09:20:21 server systemd[1]: Started IPv4 firewall with iptables. Hint: Some lines were ellipsized, use -l to show in full.
To check default configuration of iptables use below command.
[root@server ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
Another important command that will help to save the iptables configuration changes which we made. However, will not save the configuration changes and will lose the changes after restarting iptables/ machine.
Use the below command to save the rules changes which we made.
[root@server ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
or
[root@server ~]# iptables-save # Generated by iptables-save v1.4.21 on Sun Oct 29 15:17:07 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [90:12391] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Sun Oct 29 15:17:07 2017
Command to enable port in iptables. here we are going to enable port 80 for webserver(http) from outside to this server.
[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Command to enable port 80 to allow traffic from the server/firewall to outside in iptables.
[root@server ~]# iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
also will enable the port to specific host in iptables. For this we can -s option to mention the hostname in the command like below.
enabling 80 port to allow the traffic from the node1 alone.
[root@server ~]# iptables -A INPUT -p tcp -s node1.lbcdomain.com --dport 80 -j ACCEPT
Same like above will enable the ports for specific network to limit the access. So that, traffic allowed from the machines which all are falls under this network.
[root@server ~]# iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT