Use iptables to block unwanted traffic on Centos or RH 5 and 6 machines

Ip tables is a powerfull firewall included in many linux distros, we’re here focusing on Centos or Red Hat 5 and 6 distributions, you can check if iptables is installed on your system with the command:
rpm -q iptables
you should get the iptables version if present.

With the command
iptables -L -v
you can check the configuration you’re running, something like this as default configuration:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all — anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

The firewall is based on chains, each chain is just a firewall area, looking at the default configuration we have three chains, INPUT, FORWARD, OUTPUT.
in INPUT chain are listed all rules for incoming packets
in FORWARD chain are all forwarding rules, usually for routers.
in OUTPUT chain we have all rules for outgoing packets.
We’ll now set up an easy firewall, frequently used on stand alone internet server, a Stateful Packet Inspection (SPI) firewall allowing all outgoing traffic, but blocking all forwarding and unwanted incoming packets as default, allowing only incoming packet for our hosted services.

Let’s move now into configuration details, starting to edit and add some rules:
iptables -P INPUT ACCEPT
to allow all incoming traffic on chain INPUT, if we’re logging in over an SSH connection and something goes wrong we won’t get ourself locked out from the system, we’ll set DROP as default later, as soon as the configuration process ends.
then digit:
iptables -A INPUT -i lo -j ACCEPT
To allow all local traffic, the -A option adds a rule to the INPUT chain, -i means interface and adds that rule to the specified interface, lo, or local (, while -j (jump) specify the standard action over packets maching the rule, in this case ACCEPT. This rule is very important.
Another “must add” command is:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This rule allows all packets coming or related to an established connection to come in. With -m we load a module (state), the state module can check a packet and see if it’s NEW, ESTABLISHED OR RELATED. NEW are packets from new connections, not initiated by our host, ESTABLISHED and RELATED are packets referring or related to connections established by our host.
Now let’s open ports for our services:
iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
This command opens a port for SSH service over port 22 tcp. -p adds a rule to a protocol, tcp, while –dport adds the rule to a specific port, 22 is the default for SSH service.

iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Remove the number 4 and leave it blank if you want it to be added on the top.
This rule opens port 80 tcp for http service and add the line in position 4.

If you have other services running you need to issue the above command changing tpc/udp and port number accordingly.
You can find a full list of port numbers and related services here:

As soon as you have all your ports opened, you need to set the default INPUT chain rule to DROP:
iptables -P INPUT DROP
the -P switch sets the default policy for a chain, here is DROP.
If you’re not working on a router system, you also need to block the packet forwarding:
iptables -P FORWARD DROP
while OUTPUT chain should also be set to ACCEPT:
If you trust your users and programs.
Check your rules with
iptables -L -v
and save them so they will be reloaded when booting:
/sbin/service iptables save
the rules are saved in /etc/sysconfig/iptables and reapplied at boot.

If your iptables service do not automatically run on boot check with:
chkconfig --list iptables
If you get something like this everything’s fine
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
else add your iptable command in startup
chkconfig --add iptables
and add the starting run levels:
chkconfig --level 2345 iptables on
so that iptables will automatically start at runlevels 2,3,4,5.

Your all set now, enjoy your brand new firewall.

Leave a Reply