Friday, May 4, 2012

iptables on CentOS 6.0

The following explains the default iptables firewall settings on CentOS 6.

iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   96  6776 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
   69 11894 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 69 packets, 9896 bytes)
 pkts bytes target     prot opt in     out     source               destination

The centos wiki provides details. This is my simplification:

  • ACCEPT RELATED ESTABLISHED allows existing conversations to continue.
  • ACCEPT icmp -- don't know
  • ACCEPT all lo allows internal traffic
  • ACCEPT tcp ssh allows port 20 for SSH
  • REJECT all kills everything else

So, to open port 80 on your soon-to-be apache server, you just need to add an ACCEPT 80 rule prior to the REJECT all. Do this by spedifying the top position when inserting. Note you have to save the changes if you want them to survive a service restart. Saving is tricky. Here's the details, but I prefer the sbin method below.

iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
/sbin/service iptables save

Port Forwarding

You might need a process to listen on a low port like 443, but not want it to run as root and not want do deal with changing users at startup. You can use iptables to forward all traffic from one port to another. I'm assuming you're on a test system and don't want any firewall.

# tell linux to launch the iptables service at reboot
chkconfig iptables on 

# start the iptables service now
service iptables start

# list the current normal configuration
iptables -L

# list the current routing configuration
iptables -t nat -L -n -v

# set the policy for input to accept, i.e. no firewall, accept everything
iptables -P INPUT ACCEPT

# flush, i.e. delete all rules
iptables -F

# cause 443 to redirect to 8243
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8243

# save the changes
/sbin/service iptables save

# list again to see what you've changed
iptables -L

# list again to see what you've changed
iptables -t nat -L -n -v

# restart eth0 to pickup the chagnes (not sure this is necessary)
service network restart
{ "loggedin": false, "owner": false, "avatar": "", "render": "nothing", "trackingID": "UA-36983794-1", "description": "Configure firewall on Linux to do port forwarding.", "page": { "blogIds": [ 57 ] }, "domain": "holtstrom.com", "base": "\/michael", "url": "https:\/\/holtstrom.com\/michael\/", "frameworkFiles": "https:\/\/holtstrom.com\/michael\/_framework\/_files.4\/", "commonFiles": "https:\/\/holtstrom.com\/michael\/_common\/_files.3\/", "mediaFiles": "https:\/\/holtstrom.com\/michael\/media\/_files.3\/", "tmdbUrl": "http:\/\/www.themoviedb.org\/", "tmdbPoster": "http:\/\/image.tmdb.org\/t\/p\/w342" }