How to Install and Configure Iptables Firewall on CentOS 6.3

Share this Article :

This post covers the steps to install and configure iptables on linux CentOS 6.3 server. Iptables is a packet filtering firewall package in linux. It used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables interfaces to the Linux netfilter module to perform filtering of network packets.

1. To install iptables, simply run the following command :

[[email protected] ~]# yum install iptables -y

2. Check iptables installed package and Version :

[[email protected] ~]# rpm -qa | grep iptables
iptables-ipv6-1.4.7-5.1.el6_2.i686
iptables-1.4.7-5.1.el6_2.i686
[[email protected] ~]# iptables --version
iptables v1.4.7

3. Check iptables status :

[[email protected] ~]# /etc/init.d/iptables status
iptables: Firewall is not running.

or

[[email protected] ~]# service iptables status
iptables: Firewall is not running.

4. Start and stop iptables :

Start :

[[email protected] ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]

Stop :

[[email protected] ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

5. To set iptables start at boot :

[[email protected] ~]# chkconfig iptables on

6. Display Default Iptables rules:

[[email protected] ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

7. Display current opened port :

[[email protected] ~]# netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:46915               0.0.0.0:*                   LISTEN      1170/rpc.statd
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      1538/mysqld
tcp        0      0 127.0.0.1:3310              0.0.0.0:*                   LISTEN      1406/clamd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1152/rpcbind
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1390/sshd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1629/master
tcp        0      0 :::111                      :::*                        LISTEN      1152/rpcbind
tcp        0      0 :::59988                    :::*                        LISTEN      1170/rpc.statd
tcp        0      0 :::22                       :::*                        LISTEN      1390/sshd
tcp        0      0 ::1:25                      :::*                        LISTEN      1629/master
udp        0      0 0.0.0.0:59738               0.0.0.0:*                               1170/rpc.statd
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               1152/rpcbind
udp        0      0 192.168.1.54:123            0.0.0.0:*                               1398/ntpd
udp        0      0 127.0.0.1:123               0.0.0.0:*                               1398/ntpd
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               1398/ntpd
udp        0      0 0.0.0.0:903                 0.0.0.0:*                               1152/rpcbind
udp        0      0 0.0.0.0:922                 0.0.0.0:*                               1170/rpc.statd
udp        0      0 :::50667                    :::*                                    1170/rpc.statd
udp        0      0 :::111                      :::*                                    1152/rpcbind
udp        0      0 fe80::20c:29ff:fe1b:b39c:123 :::*                                    1398/ntpd
udp        0      0 ::1:123                     :::*                                    1398/ntpd
udp        0      0 :::123                      :::*                                    1398/ntpd
udp        0      0 :::903                      :::*                                    1152/rpcbind

8. Modify original Iptables configuration file :

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Please note that two rules has been added in the iptables firewall rules :

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

One Response

  1. Michael McMillan

Leave a Reply