IPtables – Basics

CentOS has an extremely powerful firewall built in, commonly referred to as iptables, but more accurately is iptables/netfilter. Iptables is the userspace module, the bit that you, the user, interact with at the command line to enter firewall rules into predefined tables.

Iptables places rules into predefined chains (INPUT, OUTPUT and FORWARD) that are checked against any network traffic (IP packets) relevant to those chains and a decision is made about what to do with each packet based upon the outcome of those rules, i.e. accepting or dropping the packet. These actions are referred to as targets, of which the two most common predefined targets are DROP to drop a packet or ACCEPT to accept a packet.

Chains

There are 3 predefined chains in the filter table to which we can add rules for processing IP packets passing through those chains. These chains are:

INPUT – All packets destined for the host computer.

OUTPUT – All packets originating from the host computer.

FORWARD – All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer. This chain is used if you are using your computer as a router.

For the most part, we are going to be dealing with the INPUT chain to filter packets entering our machine – that is, keeping the bad guys out.

Rules are added in a list to each chain. A packet is checked against each rule in turn, starting at the top, and if it matches that rule, then an action is taken such as accepting (ACCEPT) or dropping (DROP) the packet. Once a rule has been matched and an action taken, then the packet is processed according to the outcome of that rule and isn’t processed by further rules in the chain. If a packet passes down through all the rules in the chain and reaches the bottom without being matched against any rule, then the default action for that chain is taken. This is referred to as the default policy and may be set to either ACCEPT or DROP the packet.

Working with iptables

Working with iptables from the command line requires root privileges, so you will need to become root for most things we will be doing.

Iptables should be installed by default on all CentOS 5.x and 6.x installations. You can check to see if iptables is installed on your system by:

# rpm -q iptables
iptables-1.4.7-5.1.el6_2.x86_64

To list all the rules

# iptables -L -v

To flush all the existing rules

# iptables -F

To open a port.

# iptables -A INPUT -p [tcp/udp] --dport [PORT] -j ACCEPT

eg : Allow SSH connections on tcp port 22

# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

eg : open a port range.

# iptables -A INPUT -p tcp –dport 30000:35000 -j ACCEPT

To accept packets from trusted IP addresses [Whitelist IP address].

# iptables -A INPUT -s [IP HERE] -j ACCEPT

To DROP all traffic from a spesific IP.

# iptables –A INPUT –s [IP HERE] -j DROP

You need to save the new rules so that next time you reboot the rules are automatically reloaded

# service iptables save

This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.

The next time the system boots, the iptables init script reapplies the rules saved in/etc/sysconfig/iptables by using the /sbin/iptables-restore command.