Setting up iptables rules (firewall) on Fedora, Red Hat and CentOS that can survive a reboot.

[Category: CentOS] Share: Bookmark and Share

iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables as a special for Ethernet frames.

Iptables requires elevated privileges to operate and must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page, which can be opened using `man iptables` when installed. It may also be found in /sbin/iptables, but since iptables is not an "essential binary", but more like a service, the preferred location remains /usr/sbin.

iptables is also commonly used to inclusively refer to the kernel-level components. x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently, Xtables is more or less used to refer to the entire firewall (v4,v6,arp,eb) architecture.

To see what iptables rules are in right now, type this command:

/sbin/iptables -L

If you have not previously been using iptables, this is what will appear:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Ok, time to put up some rules in iptables to protect your desktop/server!

Create a file called

nano /etc/

Copy and paste the following code into the file

-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d -j REJECT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

And add the codes (rules) to your iptables

/sbin/iptables-restore < /etc/

See your iptables rules againe!

/sbin/iptables -L

Congratulations! now you have a few rules in your iptables that can protect your desktop / server against unauthorized!

Now, make sure your iptables survive when you reboot your server.

/sbin/service iptables save

This is the message you will receive from the server:

Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

Operational summary

Xtables allows the system administrator to define tables containing chains of rules for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by sequentially traversing the rules in chains. A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired. (A jump is like a “call”, i.e. the point that was jumped from is remembered.) Every network packet arriving at or leaving from the computer traverses at least one chain.

The origin of the packet determines which chain it traverses initially. There are five predefined chains (mapping to the five available Netfilter hooks), though a table may not have all chains. Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.

PREROUTING”: Packets will enter this chain before a routing decision is made.
INPUT”: Packet is going to be locally delivered. (N.B.: It does not have anything to do with processes having a socket open. Local delivery is controlled by the “local-delivery” routing table: `ip route show table local`.)
FORWARD”: All packets that have been routed and were not for local delivery will traverse this chain.
OUTPUT”: Packets sent from the machine itself will be visiting this chain.
POSTROUTING”: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.

Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict (one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not. Matches make up the large part of rulesets, as they contain the conditions packets are tested for. These can happen for about any layer in the OSI model, as with e.g. the --mac-source and -p tcp --dport parameters, and there are also protocol-independent matches, such as -m time.

The packet continues to traverse the chain until either
a rule matches the packet and decides the ultimate fate of the packet, for example by calling one of the ACCEPT or DROP, or a module returning such an ultimate fate; or
a rule calls the RETURN verdict, in which case processing returns to the calling chain; or
the end of the chain is reached; traversal either continues in the parent chain (as if RETURN was used), or the base chain policy, which is an ultimate fate, is used.

Targets also return a verdict like ACCEPT (NAT modules will do this) or DROP (e.g. the “REJECT” module), but may also imply CONTINUE (e.g. the "LOG" module; CONTINUE is an internal name) to continue with the next rule as if no target/verdict was specified at all.

thx to:

See also

Recent posts

Randomized posts


Tell a friend!

Your e-mail:

Your friend's e-mail:

Add CoolLinux to your favorites

apache log files, find log files, apache log files, change hostname, change host name, hostname, host name, change name, hostname file, hostname path, host name path, host path, path host, change hostname, change host name, hostname, host name, change name, hostname file, hostname path, host name path, host path, path host, install lighttpd, lighttpd, web server, lighttpd web server, lighttpd installation, lighttpd debian install, lighttpd debian installation, FreeBSD, SUSE Linux distributions, Red Hat Enterprise, Kubuntu, Fedora Core, Fedora, Edubuntu, ubuntu, Debian, CentOS, game, linux game, unix game, sauerbraten, cube, game, linux game, unix game, OpenArena, game, GPL, linux game, unix game, text login, new mail, warning, message, system message, notice, terminal, text terminal, install, remove, uninstall, Apache, apache, delete, CentOS, Red Hat, Fedora, install apache, remove apache, uninstall apache,, remove, uninstall, Apache, apache, apache debian, apache ubuntu, debian, ubuntu, remove apache, uninstall apache, delete, start, stop, restart, start apache, stop apache, restart apache, Apache, apache, list contents, directory, list directory, PHP, php, contents, content, php list, display date, display time, visitor, PHP, php, date, time, php date, php time, display php, display IP, IP, ip, ip address, IP address, visitor, PHP, php, ip php, word processors, text editor, editor, install, nano, , change, changing, timezone, time zone, reboot, , Learn Persian online!Englisch lernen online kostenlos