By default iptables firewall stores its configuration at /etc/sysconfig/iptables file.
Use the following commands to disable the iptables firewall:
service iptables status service iptables save service iptables stop chkconfig iptables off |
To see what rulesets we currently have in place, execute:
iptables -L |
- INPUT – Holds rules for traffic directed at this server
- FORWARD – Holds rules for traffic that will be forwarding on to an IP behind this server
- OUTPUT – Holds rules for traffic that is coming from this server out to the internet
These rules are organized into groups called chains. A chain is a set of rules that a packet is checked against sequentially. When the packet matches one of the rules, it executes the associated action and is not checked against the remaining rules in the chain. So rules 3 en 4 will never checked againt because there is a reject rule which will match everything:
-- Wrong -- Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT tcp -- 192.168.1.0 anywhere tcp dpt:mysql /* 3 */ ACCEPT all -- 192.168.1.1 anywhere /* 4 */ -- Correct -- Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.1.0 anywhere tcp dpt:mysql /* 3 */ ACCEPT all -- 192.168.1.1 anywhere /* 4 */ REJECT all -- anywhere anywhere reject-with icmp-host-prohibited |
Mainly we will be dealing with traffic directed at this server, and will be issuing rules for the INPUT Chain. When traffic passes through the kernel, it determines a TARGET based on whether the packet matches a rule or not. General targets are:
- ACCEPT – Traffic is accepted for delivery
- REJECT – Traffic is rejected, sending a packet back to the sending host
- DROP – The traffic is dropped. Nothing is sent back to the sending host
Also to note is that nothing you do is saved on disk until you execute:
iptables-save |
The following is a list of common rules:
; HTTP Port 80 iptables -I INPUT 1 -p tcp --dport http -j ACCEPT ; HTTPS / SSL Port 443 iptables -I INPUT 1 -p tcp --dport https -j ACCEPT ; SSH - Port 22 iptables -I INPUT 1 -p tcp --dport ssh -j ACCEPT ; FTP - Port 21 iptables -I INPUT 1 -p tcp --dport ftp -j ACCEPT iptables -I INPUT 1 -p tcp --dport ftp-data -j ACCEPT :MySql - Port 3306 - Source 192.168.0.1 iptables -A INPUT -p tcp -s 192.168.0.1 --dport 3306 -j ACCEPT : To remove this rule iptables -D INPUT -p tcp -s 192.168.0.1 --dport 3306 -j ACCEPT iptables save |