Contents

Overview

“iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.”

In this tutorial I will give a few essential examples of how to use iptables on CentOS

iptables

There are several ways to configure iptables on CentOS.
The simplest way is to use the command system-config-firewall/system-config-firewall-tui, it will help you set up standard rules like Web Server, FTP Server and a few more.
The second way is to use iptables command to edit the configuration – this method is best for testing since it will NOT save the settings until you run the command:

/etc/init.d/iptables save

The third way is to edit the file /etc/sysconfig/iptables and that is what I will show you today.

iptables chains

First we clear the content of /etc/sysconfig/iptables using:

echo > /etc/sysconfig/iptables

Set all the default chains to DROP and save the file:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

Now we are ready to insert the necessary rules to our chains.

Stateful configuration

Using a stateful rule to allow all established connections:

#Allow all Established connections
-A INPUT -p all -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p all -m state --state ESTABLISHED -j ACCEPT

Some services requires you to allow related connections (ftp,tftp…):

#Allow all Related connections
-A INPUT -p all -m state --state RELATED -j ACCEPT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

iptables examples

Allow LocalHost

First we need to insert a rule to allow localhost to communicate:

#All localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

Allow Web Browsing

#Out Internet Access
-A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#Out Internet Access SSL
-A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow Outgoing SSH

#Out SSH
-A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH

Allow Incoming SSH from a specified subnet/ip address

#In SSH
-A INPUT -p tcp -s 10.0.0.0/24 --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH from all

#In SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming Web Server

#In Internet Access Port 80
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#In Internet Access SSL Port 443
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow DHCP Client

#In/Out DHCP Client
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

Allow DHCP Server

#In/Out DHCP Server
-A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT

Allow DNS requests

#Out DNS
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Allow Incoming ping

#In ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Outgoing ping

#Out ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Zabbix Agent

#In Zabbix Agent
-A INPUT -p tcp --dport 10050 -m state --state NEW -j ACCEPT

Allow Outgoing RDP

#Out RDP
-A OUTPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow Incoming RDP Server

#In RDP
-A INPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow SMTP Server

#In SMTP
-A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTP Client

#Out SMTP
-A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTPs Server

#In SMTPs
-A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTPs Client

#Out SMTPs
-A OUTPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTP TLS Server

#In SMTP TLS
-A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow SMTP TLS Client

#Out SMTP TLS
-A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow POP Server

#In POP
-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POP Client

#Out POP
-A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POPs Server

#In POPs
-A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow POPs Client

#Out POPs
-A OUTPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow IMAP Server

#In IMAP
-A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAP Client

#Out IMAP
-A OUTPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAPs Server

#In IMAPs
-A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow IMAPs Client

#Out IMAPs
-A OUTPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow mySQL Server

#In mySQL
-A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow mySQL Client

#Out mySQL
-A OUTPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow NTP Server

#In NTP
-A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow NTP Client

#Out NTP
-A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow rsync

#In rsync
-A INPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

#Out rsync
-A OUTPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

Allow rsyslogd

#In rsyslogd
-A INPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

#Out rsyslogd
-A OUTPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

Allow SAMBA Server

#In Samba
-A INPUT -p udp --dport 137:139 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m multiport --dport 139,445 -m state --state NEW -j ACCEPT

Allow NFS Server

NFS uses random ports on startup so we need to fix the port numbers, add the following lines to ‘/etc/sysconfig/nfs’:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
RDMA_PORT=20049

#In NFS
-A INPUT -p tcp -m multiport --dport 111,662,875,892,2020,2049,20049,32803 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dport 111,662,875,892,2020,2049,20049,32769 -m state --state NEW -j ACCEPT

Allow TFTP Server

TFTP needs an iptables module called “nf_conntrack_tftp”, edit ‘/etc/sysconfig/iptables-config’ and make sure you have:

IPTABLES_MODULES="nf_conntrack_tftp"

#In TFTP
-A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 69 -m state --state NEW -j ACCEPT

#You also need to allow related OUTPUT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

Allow Routing

Allow routing between Network-1 to Network-2 using 2 different NICs:

#Allow routing from eth0 to eth1
-A FORWARD -i eth0 -o eth1 -j ACCEPT

Specify port range

For example allow all communication from ports 100-200 to ports 200-300:

-A OUTPUT --sport 100:200 --dport 200:300 -j ACCEPT

Speciy IP Address range

IP Address range requires the ‘iprange’ module,
For example allow all communication to and from 10.0.0.1-10.0.0.100:

-A OUTPUT -m iprange --dst-range 10.0.0.1-10.0.0.100 -j ACCEPT
-A INPUT -m iprange --src-range 10.0.0.1-10.0.0.100 -j ACCEPT

Enjoy!

+32

Adam Mallul

DevOps/IT Specialist, Musician.
IT Manager – Faculty of Exact Sciences, Bar-Ilan University
Personal Website

1 thought on “iptables examples on CentOS”

Rodney Wienand January 22, 2014 at 14:21

Thank you Adam for a comprehensive explanation and variety of commands for various functions. I will have a copy of the link to this page saved as I am sure I will have to refer to it again. Thanks once again.