Home‎ > ‎unix/linux‎ > ‎

iptables



Is it running?
# service iptables status
Firewall is stopped.

What is allowed: 
$ sudo /sbin/iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:amqp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
ACCEPT     tcp  --  1.1.1.1              anywhere            state NEW tcp dpt:epmd
ACCEPT     udp  --  1.1.1.1              anywhere            state NEW udp dpt:epmd
ACCEPT     udp  --  1.1.1.1              anywhere            state NEW udp dpts:newoak:pxc-roid
ACCEPT     tcp  --  1.1.1.1              anywhere            state NEW tcp dpts:newoak:pxc-roid
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:55672
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
$


Edit the rules: 

Shut down iptables before making a change: 
systemctl stop iptables

modify the iptables ACL list
vim /etc/sysconfig/iptables

add a string allowing some field.  In this example, the red allows ssh inbound from a specific ClassC network. 
# Generated by iptables-save v1.4.21 on Tue Dec 26 14:52:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2098:33328884]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A INPUT -s 10.33.32.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "Allow in-bound SSH from a friendly network" -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Dec 26 14:52:29 2017

Save the changes and re-enable iptables
[root@box1 ~]# service iptables save
iptables: Nothing to save.                                 [WARNING]
[root@box1 ~]# vim /etc/sysconfig/iptables
[root@box1 ~]# systemctl start iptables
[root@box1 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  10.33.32.0/24        0.0.0.0/0            state NEW tcp dpt:22 /* Allow in-bound SSH from the Juniper VPN subnet */
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@box1 ~]# systemctl enable iptables
[root@box1 ~]# 




References: 



Comments