iptables Firewall Setup
Installing iptables
Check current status:
systemctl status iptables
Stop and disable firewall service:
systemctl stop firewalld
systemctl disable firewalld
Install iptables components:
yum install -y iptables iptables-services
systemctl start iptables
systemctl enable iptables
Configuration File
Edit the main configuration file:
vim /etc/sysconfig/iptables
Default configuration template:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Rule Management
Common parameters:
- -A: Append rule to chain
- -D: Delete rule from chain
- -L: List existing rules
- -F: Flush all rules
- -P: Set chain policy
- -p: Protocol type
- -s: Source address
- -dport: Destination port
- -j: Jump target
Basic rule setup sequence:
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
Port Management Examples
Open specific port:
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
service iptables save
Remove port rule:
iptables -D INPUT -p tcp --dport 3306 -j ACCEPT
Block specific IP:
iptables -I INPUT -s 192.168.1.100 -j DROP
Unblock IP:
iptables -D INPUT -s 192.168.1.100 -j DROP
Common Service Ports
- HTTP: 80
- HTTPS: 443
- SSH: 22
- MySQL: 3306
- Redis: 6379
- PostgreSQL: 5432
- MongoDB: 27017
- Elasticsearch: 9200