How to configure iptables in CentOS 6


#1

Hello, I’m the same lobaluna and lobaluna_server. Just using another email (more suited for my server account).

I want to know how to configure iptables in CentOS 6.9 (not using firewall command), so I can set it up for my Apache web server (and LAMP configuration), ProFTPd server, Webmin in port 12895, and phpMyAdmin.

My main issue is to understand the basics of its configuration so I can, in the near future, do it all by myself. You are very kind at explaining things, in a very pedagogical manner, :smiley:

…I must protect my server with firewall command, which is not been used in my server. But I do have iptables. That’s why I’m asking here.


#3

Hello,

Let me start by saying that firewall configuration with iptables is no simple matter especially for untrained eye. Many things can go wrong and you can easily lock yourself from the server completely. Basic firewall and networking understanding is recommended before attempting to manipulate firewall rules on production Linux server.

If, unsure, it is always a good idea to create some testing environment by creating a sandbox server before tampering with production server! Do you have direct access to your server via console/terminal in somethings goes wrong?

Before moving on, please consider to read through our Collection of basic Linux Firewall iptables rules guide to familiarize yourself with basic iptables command usage.

How do you know that firewall is disabled on your host. It is also possible that your hosting provider provide you with top level firewall to shield your server.

From what I understand the firewall is enabled by default CentOS 6. To check your current iptables rules run command iptables-save. This is a sample output of iptables-save command on CentOS 6:

# iptables-save
# Generated by iptables-save v1.4.7 on Sat Jul 14 09:57:14 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [99:12116]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Sat Jul 14 09:57:14 2018

Next, I’m going to assume that your firewall is disabled and we need to block any access to the server except the following services:

  • 80,443 ( apache, myphpadmin )
  • 21 ( FTP )
  • 12895 ( Webmin )
  • 22 ( SSH ) this is must in order to access the server via secure shell

First, it is recommended to allow access to any port from the external public IP address you use to connect to your server. For example if your IP address is 23.45.67.89 then execute:

# iptables -A INPUT -s 23.45.67.89 -j ACCEPT

The above rule we ensure that you do not lock yourself out from the server. Once you are happy with the settings this iptables rule can then be removed.

Next, open ports for all your required services. Alter the port numbers if necessary or add more rules based on the template:

# iptables -I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -I INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -I INPUT -p tcp --dport 12895 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -I INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Next task in order is to block access to any other ports:

# iptables -P INPUT REJECT

Lastly save the iptables rules to make sure they are available after CentOS 6 Linux server reboots:

# /etc/init.d/iptables save

All done. Please note that the above are just basics. The topic on how to configure simple firewall can stretch for miles and fill multiple books.


#4

I didn’t know how complex it is.

Your explanation served me a lot. Thank you! I will try on weekend and report back.