How To Configure Iptables Firewall on CentOS

Iptables is a command-line utility program that is used to configure the Linux kernel firewall, which is also known as Netfilter. The iptables utility is used to set up and maintain the rules of the firewall, allowing or blocking traffic based on certain conditions like port number, IP address, protocol, etc.

With iptables, you can set up rules to block or allow incoming and outgoing traffic on a specific network interface. It can also be used to set up NAT (Network Address Translation), which allows multiple devices on a private network to access the internet using a single public IP address.

Iptables is a powerful and flexible tool that provides granular control over network traffic. However, it requires some knowledge and experience to configure it correctly, as improperly configured iptables rules can potentially cause network issues or security vulnerabilities.

Check Iptables Version

iptables -V

When you run this command, it displays the version number of the iptables command-line utility along with some other information about the Netfilter framework.

yum info iptables

This command is used to display detailed information about the iptables package installed on a CentOS

If iptables is not installed on a Linux system, you will not be able to use the iptables command-line utility to configure the firewall rules.

In such a case, you can install iptables using the yum package manager by running the following command as root or with sudo privileges:

yum -y install iptables

Understanding Firewall

A firewall is a security mechanism that filters incoming and outgoing network traffic based on a set of predefined rules. In iptables, there are four default chains: INPUT, OUTPUT, FORWARD, and RH-Firewall-1-INPUT. The INPUT chain is used for packets addressed to the system, while the OUTPUT chain is used for packets generated by the system. The FORWARD chain is used when packets are sent through another interface, and the RH-Firewall-1-INPUT chain is a user-defined custom chain.

The meaning of different targets in iptables is as follows: ACCEPT allows the packet to pass through the firewall, REJECT drops the packet and sends an error message to the remote host, and DROP drops the packet without sending any error message to the remote or sending host.

By default, the iptables configuration on CentOS does not allow access to the HTTP (TCP PORT # 80) and HTTPS (TCP PORT # 443) ports used by the Nginx web server. You can configure the iptables firewall to allow access to these ports by following a step-by-step process.

Step 1: Flush all Iptables rules

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

Step 2: Set default rules

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Step 3: Allow access to HTTP (port 80) and HTTPS (port 443)

iptables -A INPUT -i lo -j ACCEPT 
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Turn on and save iptables

chkconfig iptables on

This command is used to configure the iptables firewall to start automatically at system boot time on a Linux system.

When you run this command, it sets the default runlevel configuration for the iptables service to on, which means that the iptables firewall service will be automatically started when the system is booted up.

The chkconfig command is a Linux utility that is used to manage system services, including enabling or disabling them at various runlevels. In this case, the “chkconfig iptables on” command enables the iptables service to start automatically at all runlevels.

Note that this command assumes that the iptables service is installed on the system. If the iptables package is not installed, you will not be able to use this command. You can install the iptables package using the package manager for your Linux distribution before running the chkconfig command to enable it.

service iptables save

This command will to save the current iptables firewall rules to a file on a Linux system.

When you run this command, it saves the current iptables rules to the “/etc/sysconfig/iptables” file, which is the default location for the iptables rules file on CentOS and other Red Hat-based Linux distributions.

By default, when you configure the iptables firewall rules using the iptables command-line utility, the rules are not saved automatically and will be lost when the system is rebooted. Therefore, the “service iptables save” command is used to save the current iptables rules to a file so that they can be loaded and applied again at the next system boot.

Note that this command assumes that the iptables service is installed on the system and that the rules have already been configured using the iptables command-line utility. If you have not configured any iptables rules yet, this command will not do anything.

Now You have successfully Configured Firewall!

About the author

Julian Ajb Cheng

View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *