iptables on CentOS 6.0
The following explains the default iptables firewall settings on CentOS 6.
iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 96 6776 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 69 11894 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 69 packets, 9896 bytes) pkts bytes target prot opt in out source destination
The centos wiki provides details. This is my simplification:
ACCEPT RELATED ESTABLISHEDallows existing conversations to continue.
ACCEPT icmp-- don't know
ACCEPT all loallows internal traffic
ACCEPT tcp sshallows port 20 for SSH
REJECT allkills everything else
So, to open port 80 on your soon-to-be apache server, you just need to add an
ACCEPT 80 rule prior to the
REJECT all. Do this by spedifying the top position when inserting. Note you have to save the changes if you want them to survive a service restart. Saving is tricky. Here's the details, but I prefer the sbin method below.
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT /sbin/service iptables save
You might need a process to listen on a low port like 443, but not want it to run as root and not want do deal with changing users at startup. You can use iptables to forward all traffic from one port to another. I'm assuming you're on a test system and don't want any firewall.
# tell linux to launch the iptables service at reboot chkconfig iptables on # start the iptables service now service iptables start # list the current normal configuration iptables -L # list the current routing configuration iptables -t nat -L -n -v # set the policy for input to accept, i.e. no firewall, accept everything iptables -P INPUT ACCEPT # flush, i.e. delete all rules iptables -F # cause 443 to redirect to 8243 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8243 # save the changes /sbin/service iptables save # list again to see what you've changed iptables -L # list again to see what you've changed iptables -t nat -L -n -v # restart eth0 to pickup the chagnes (not sure this is necessary) service network restart