Saturday, May 16, 2009

Configure iptables in CentOS

Iptables is a powerful firewall program for Linux systems. It is bundled along with some distributions, among them being RHEL and CentOS. These distributions also include a nice easy to use GUI application for managing firewall rules. For those systems running without a GUI, the CLI client is very much a pain to use. I spent some time recently going through this iptables tutorial and have come up with a configuration script.

Iptables is a rule based firewall. It uses three different rule sets for managing traffic:
  1. Incoming traffic
  2. Outgoing traffic
  3. Traffic to be forwarded elsewhere
The traffic to be forwarded elsewhere rule set is for if your Linux computer is configured as a network gateway. For most uses, the only rule set to really focus on is the one governing incoming traffic.

For each packet the computer handles, it will determine which rule set applies to it and will proceed to read through the list of rules until it finds one that applies to that packet and will do the corresponding action. This is why it is crucially important where a particular rule is placed. If the first rule for the firewall is to allow all traffic and the second rule is to block traffic on a certain port, then all traffic is going to come through, including the traffic on the port that is meant to be blocked.

Manipulating iptables requires superuser privileges. This can be achieved either by using the su program to become root or by using the sudo command. Don't have sudo powers? Look at this post.

Iptable can be started/stopped/restarted using either of the following two commands:
/etc/init.d/iptables [command]
- or -
/sbin/service iptables [command]
The options for [command] are either start, stop, or restart. The service command above is really just a shell script that calls /etc/init.d/ so they do exactly the same thing. You get to use whichever you prefer.

When configuring iptables it was suggested in the tutorial I found to create your own rule sets from scratch rather than trying to modify the existing one. I did this and it has worked out very well for me so far. All of my rules go into a script that I edit and run whenever I want to make changes to the rules so that I do not have to edit the config file manually.

My iptables setup script

No comments:

Post a Comment