Home‎ > ‎unix/linux‎ > ‎

iptables



Is it running?
# service iptables status
Firewall is stopped.

What is allowed: 
$ sudo /sbin/iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:amqp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
ACCEPT     tcp  --  1.1.1.1              anywhere            state NEW tcp dpt:epmd
ACCEPT     udp  --  1.1.1.1              anywhere            state NEW udp dpt:epmd
ACCEPT     udp  --  1.1.1.1              anywhere            state NEW udp dpts:newoak:pxc-roid
ACCEPT     tcp  --  1.1.1.1              anywhere            state NEW tcp dpts:newoak:pxc-roid
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:55672
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
$


Edit the rules: 

modify the iptables ACL
vim /etc/sysconfig/iptables
add line allowing access to webserver from only clients on the 10 network: 
-I RH-Firewall-l-INPUT -s 10.0.0.0/8 -p tcp --dport 80 -j ACCEPT



Update IPTables: 

Modify IPTables, by adding ports allowed.  In this case, we are allowing tcp:4401, and tcp:8777:
[chuck@ns01 tmp]$ sudo vim /etc/sysconfig/iptables
[sudo] password for cmercier:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4401 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8777 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
~
"/etc/sysconfig/iptables" 15L, 610C written
[chuck@ns01 tmp]$

Then restart iptables to enable the changes: 
[chuck@ns01 tmp]sudo /sbin/service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[chuck@ns01 tmp]$ sudo su - way4




References: 



Comments