[XenoCafe Logo] Click for Homepage
Home Tutorials Forum Blog Advertising Links Contact About

 



Setting up a Firewall in RedHat Linux using IPTables
Part 2 - Creating Our Rules

Written by Tony Bhimani
October 4, 2004

Requirements
RedHat Linux 9
iptables 1.2.7a

For this example we will only allow access to SSH and HTTP (ports 22 and 80 respectively). If you have other services such as FTP (port 21), DNS (port 53), SMTP (port 25), POP3 (port 110), or HTTP-SSL (port 443) then feel free to add them. Next we will check to see if there is an existing iptables rules file. Go to your sysconfig directory located in /etc and look for a file called iptables.

cd /etc/sysconfig
ls

If the file exists then be sure to make a backup of it. In case anything weird starts to happen you can replace your new file with the original one.

cp iptables iptables.original

For those of you who do not have an existing file, create a new one using the touch command.

touch iptables

Now it is time to edit the rules file with vi.

vi iptables

This is what my file looks like. Yours may be different or empty if you had to create the file from scratch. When I initially installed RedHat I used the medium setting for the firewall.

Put vi in insert mode (press i) and delete everything. After everything has been deleted, type in the following rules.

*filter
# rules for our firewall
-A INPUT -i lo -p all -j ACCEPT
-A OUTPUT -o lo -p all -j ACCEPT
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# open ports for some services
#  open ssh
-A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
-A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
#  open http
-A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
-A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
# drop all other inbound connections, only allow what we defined above
-P INPUT DROP
COMMIT

When you are done it should look like this.

Save your changes and exit out of vi (press ESC and type :wq and press Enter).

Now we will load our new rules into iptables. Issue the following command.

/sbin/iptables-restore < ./iptables

Iptables should accept the new rules and not give any error messages. If you do get errors, check your file and make sure there are no mistakes. With our rules loaded let's list them.

/sbin/iptables --list

Everything looks good. The last thing we'll do is attempt to connect to a service that is running but not part of our rules. The connection attempt will be made from a remote host using telnet (if you don't have access to another computer to try this test, ask your friend to do it with his). We will run nmap to list all our listening services on our server.

nmap localhost

Choose a service that you didn't add to your rules. I will be using MySQL (port 3306) for this example and I will be attempting the remote connection from my RedHat 7.3 box.

telnet 192.168.1.110 3306

192.168.1.110 is the IP of my server and 3306 is the port MySQL is running on. Since we set the INPUT policy to DROP all connections, we should get a connection time out. You can also set your INPUT policy to REJECT which should return connection refused messages. I chose DROP just to give the appearance that nothing is running. We also did a test to connect to port 80 (HTTP) which worked.

If everything works then you have just successfully set up your firewall. Next we will talk about blocking unwanted hosts.



How would you rate the usefulness of this content?

Poor 1
2
3
4
5
6
7
8
9
Outstanding

Optional: Tell us why you rated the content this way.
Characters remaining: 1024
Average rating: 5.45 out of 9.

1 2 3 4 5 6 7 8 9
29 people have rated this content.
[ Previous Page ] [ 1 ] [ 2 ] [ 3 ] [ Next Page ] This page has been viewed 19,189 times
Copyright © 2004-2014 XenoCafe. All Rights Reserved. XenoCafe is Powered by Linux. Free your mind and your wallet. Switch to Linux.