CentOS Firewall

The package iptables allows System Administrators to configure rules for the firewall built into the Linux kernel which is implemented through various netfilter modules, chains and rules. Below are some basic examples to to deny or allow various network traffic (ICMP, TCP, UDP, etc.) from specific networks, host IPs, etc.

A common security practice is to DENY all traffic, and then open up very specific network rules. Below are some quick examples, but I’ll be putting together an example of a simple stateful firewall as well as a router configuration if you’re using NAT between networks. The router configuration gets a little more complex because you are defining rules for forwarding packets on top of accepting or denying.

Viewing CentOS Firewall Rules

You can use the following iptables command to view the current rules and also the number of hits per rule in packets and bytes. This could be useful, if you were denying ssh from everywhere except a specific network and wanted to know how many other networks are attempting to ssh into your server which could indicate a brute-force attack.

iptables -nvL

Saving CentOS IPTables Rules

This command will save the current running iptables rules to a file that can be restored at a later point in time. This is very useful if you’re making a lot of updates, and something screws up, you can diff the files and see what changed. It will help spot your error.

Note: the date command will append YYYY-MM-DD-HHmm timestamp to the end of the saved file.

iptables-save > /root/iptables.save.`date +%Y-%m-%d-%H%M`

Restore IPTables Rule

You can easily restore iptables rules saved with the command above with the iptables-restore command.

iptables-restore < /root/iptables.save.2004-01-01-1200

Allow Ping (ICMP)

This will command will allow ICMP packets including ping.

iptables -A TCP -p icmp -j ACCEPT

Allow SSH Access IPTables

This will command will allow remote ssh connections (TCP port 22).

iptables -A TCP -p tcp --dport 22 -j ACCEPT

Allow HTTPS Access IPTables

This will command will allow connections to a web server (apache, nginx, etc.) running https (encrypted http traffic) on the standard tcp port 443.

iptables -A TCP -p tcp --dport 443 -j ACCEPT

Allow HTTP Access IPTables

This will command will allow connections to a web server (apache, nginx, etc.) running http on the standard tcp port 80.

iptables -A TCP -p tcp --dport 80 -j ACCEPT

Allow DNS traffic

This will command will allow DNS traffic on udp port 53.

iptables -A TCP -p udp --dport 53 -j ACCEPT

Block an IP address

This example will block a specific IP address. You would want to use this if the same IP continually tries to brute-force your server, and you just don’t want to worry about it anymore. This will block out ficticious rogue IP

/sbin/iptables -A INPUT  -s -j DROP

Block a network

Block the entire network.

/sbin/iptables -A INPUT  -s -j DROP

Disable Firewall

To disable the firewall, we can use the default init script to stop it, and set it to not come up at start. This is the best way to do it, as flushing all the rules

/etc/init.d/iptables stop
/sbin/chkconfig iptables off