Setting up a Firewall in RedHat Linux using IPTables
Part 2 - Creating Our Rules
Written by Tony
October 4, 2004
RedHat Linux 9
For this example we will only allow access to SSH and HTTP (ports 22
and 80 respectively). If you have other services such as FTP (port 21),
DNS (port 53), SMTP (port 25), POP3 (port 110), or HTTP-SSL (port 443)
then feel free to add them. Next we will check to see if there is an existing
iptables rules file. Go to your sysconfig directory located in /etc and
look for a file called iptables.
If the file exists then be sure to make a backup of it. In case anything
weird starts to happen you can replace your new file with the original
cp iptables iptables.original
For those of you who do not have an existing file, create a new one using
the touch command.
Now it is time to edit the rules file with vi.
This is what my file looks like. Yours may be different or empty if you
had to create the file from scratch. When I initially installed RedHat
I used the medium setting for the firewall.
Put vi in insert mode (press i) and delete everything.
After everything has been deleted, type in the following rules.
# rules for our firewall
-A INPUT -i lo -p all -j ACCEPT
-A OUTPUT -o lo -p all -j ACCEPT
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# open ports for some services
# open ssh
-A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
-A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
# open http
-A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
-A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
# drop all other inbound connections, only allow what we defined above
-P INPUT DROP
When you are done it should look like this.
Save your changes and exit out of vi (press ESC and
type :wq and press Enter).
Now we will load our new rules into iptables. Issue the following command.
/sbin/iptables-restore < ./iptables
Iptables should accept the new rules and not give any error messages.
If you do get errors, check your file and make sure there are no mistakes.
With our rules loaded let's list them.
Everything looks good. The last thing we'll do is attempt to connect
to a service that is running but not part of our rules. The connection
attempt will be made from a remote host using telnet (if you don't have
access to another computer to try this test, ask your friend to do it
with his). We will run nmap to list all our listening services on our
Choose a service that you didn't add to your rules. I will be using MySQL
(port 3306) for this example and I will be attempting the remote connection
from my RedHat 7.3 box.
telnet 192.168.1.110 3306
192.168.1.110 is the IP of my server and 3306 is the port MySQL is running
on. Since we set the INPUT policy to DROP all connections, we should get
a connection time out. You can also set your INPUT policy to REJECT which
should return connection refused messages. I chose DROP just to give the
appearance that nothing is running. We also did a test to connect to port
80 (HTTP) which worked.
If everything works then you have just successfully set up your firewall.
Next we will talk about blocking unwanted hosts.
[ Previous Page ]
[ 1 ]
[ 2 ]
[ 3 ]
[ Next Page ]
This page has been viewed 19,301 times