Configuring iptables on CentOS 6.5

refer: http://blog.chinaunix.net/uid-22780578-id-3346350.html

https://www.upcloud.com/support/configuring-iptables-on-centos-6-5/

http://blog.chinaunix.net/uid-26495963-id-3279216.html

The user-space application program iptables allows configuring the tables provided by the Linux kernel firewall, as well as the chains and rules it stores. The kernel module currently used for iptables only applies to IPv4 traffic, to configure firewall fules for IPv6 connections instead use ip6tables, which responds the same command structures as iptables. If you are useing CentOS7, you should look into configuring firewalld, which combines the functionality of iptables and ip6tables, though it’s possible to still use iptables just the same.

Listing current rules

On CentOS and other RHEL variants iptables often comes with some preconfigured rules, check the current iptables rules using the following command

iptables -nvL

This will print out a list of three chains, INPUT, OUTPUT, FORWARD

# iptables -nvLChain INPUT (policy DROP 60120 packets, 8794K bytes) pkts bytes target     prot opt in     out     source               destination           337 20360 ACCEPT     tcp  --  *      *       192.168.50.38        0.0.0.0/0           tcp dpt:2333 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 15773 packets, 2790K bytes) pkts bytes target     prot opt in     out     source               destination 

The chain names indicate which traffic the rules in each list will be applied to, input is for any connections comming to your server, output is any leaving traffic and forward for any pass though. Each chain also has its policy setting which determines how the traffic is handled if it doesn’t match any specific rules, by default it’s set to accept.

Addming rules

Firewall call commonly be configured in one of two ways, either set the default rule to accept and then block any unwanted traffic specific rules, or by using the rules to define allowed traffic and blocking everything else. The latter is often the recommand approach, as it allows pre-emptively blocking traffic, rather than having to reactively reject connections that should not be attempting to access your server.

To begin using iptables, you should first add the rules for allowed inbound traffic for the services you require. Iptables can track the state of the connection, so use the command below to allow established connections continue.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Next allow traffic to specific port to enable SSH connections with the following.

iptables -A INPUT -p tcp --dport ssh_port -j ACCEPT

This ssh_port in the command translates to the port number 22, which the protocol uses by default.

The same command structure can be used to allow traffic to other ports as well. To enable access an HTTP web server, use the following command

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

After adding all allowed rules you require, change the input policy to drop.

iptables -P INPUT DROP

The same policy rules can be defined to other chains as well by entering the chain name and selecting either DROP or ACCPET.

Saving and restoring rules

Now if you were to restart your server all of these iptables configurations would be wiped. To prevent this, save the rules to a file.

iptables-save > /etc/sysconfig/iptables/etc/init.d/iptables saveiptables：将防火墙规则保存到 /etc/sysconfig/iptables：     [确定]

You can then simply restore the saved rules by reading the file you saved with

# Overwrite the current rulesiptables-restore < /etc/sysconfig/iptables# Add the new rules keeping the current onesiptables-restore -n < /etc/sysconfig/iptables

to automate the resotre at reboot CentOS offers a system service by the same name, iptables, which needs to be enabled.

chkconfig iptables on

Advanced rule setup

As per basic firewall behaviour, the rules are read in the order they are listed on each chain, which means you’ll need to put the rules in the correct order. Appending new rules adds them ot thke end of the list. You can add new rules to a specific position of the list by inserting thkem using iptables -I command, where the is the order number you wish to insert the rule. To know which index number to enter. use the following command.

• show rules and rule number

# iptables -nvL --line-numbersChain INPUT (policy DROP 87646 packets, 13M bytes)num   pkts bytes target     prot opt in     out     source               destination         1      811 50680 ACCEPT     tcp  --  *      *       192.168.50.38        0.0.0.0/0           tcp dpt:2333 Chain FORWARD (policy DROP 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 23077 packets, 4066K bytes)num   pkts bytes target     prot opt in     out     source               destination

The number are the beginning of each rule line indicates the position in the chain. To insert a new rule above a specific existing rule, simply use the index number of the existing rule. For example to insert a new rule to the top of the chain, use the follow command with index number1.

iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPTiptables -nvL --line-numberChain INPUT (policy DROP 84 packets, 12044 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 2     1001 62400 ACCEPT     tcp  --  *      *       192.168.50.38        0.0.0.0/0           tcp dpt:2333 Chain FORWARD (policy DROP 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 72 packets, 8708 bytes)num   pkts bytes target     prot opt in     out     source               destination

If you wish to remove an existing rule from a certain chain, use the delete command with the parameter -D. The easiest way to select the rule for delete is to use the index numbers explained above. For example to delete the second rule on the input chain, use this command.

iptables -D INPUT 2

• insert to specify place and delete a rule

[root@MC-M bak]# iptables -nvL --line-numberChain INPUT (policy DROP 12 packets, 2011 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 3     1068 66680 ACCEPT     tcp  --  *      *       192.168.50.38        0.0.0.0/0           tcp dpt:2333 Chain FORWARD (policy DROP 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 11 packets, 1667 bytes)num   pkts bytes target     prot opt in     out     source               destination         [root@MC-M bak]# iptables -D INPUT 2[root@MC-M bak]# iptables -nvL --line-numberChain INPUT (policy DROP 8 packets, 1229 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 2     1106 69000 ACCEPT     tcp  --  *      *       192.168.50.38        0.0.0.0/0           tcp dpt:2333 Chain FORWARD (policy DROP 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 6 packets, 763 bytes)num   pkts bytes target     prot opt in     out     source               destination 

It’s also possible to flush all rules of a specific chain or even the whole iptables using the -F parameter. This is useful if you suspect iptables is interfering with your attempted network traffic, or you simply wish to start configuring again from a clean table. Remember to save the rules to a file before flushing the table.

# clear input chainiptables -F INPUT # Flush the whole iptables iptables -F