18

Security

Last Update 2 months ago

How to Enable or Disable ModSecurity (cPanel & DirectAdmin) How to restrict directory access by IP address How to protect your .htaccess file How to disable directory browsing using .htaccess How to ban an IP Address using the .htaccess file

Setting Up A Basic Firewall On Redhat/CentOS

CentOS / Redhat Iptables Firewall Configuration Tutorial

Evans

Last Update 2 months ago

How do I configure a host-based firewall called Netfilter (iptables) under CentOS  / Fedora / Redhat Enterprise Linux( RHEL)?

Netfilter is a host-based firewall for Linux operating systems. It is included as part of the Linux distribution and it is activated by default. This firewall is controlled by the program called iptables

Netfilter filtering take place at the kernel level, before a program can even process the data from the network packet.

Iptables Config File

The default config files for RHEL / CentOS / Fedora Linux are:

  • /etc/sysconfig/iptables – The system scripts that activate the firewall by reading this file.
Task: Display Default Rules

Type the following command:

Sample outputs:

Task: Turn On Firewall

Type the following two commands to turn on the firewall:

To restart the firewall use:
To stop the firewall use: 
Understanding Firewall

There are a total of 4 chains:

  1. INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 202.54.1.20/29).
  2. OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.
  3. FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.
  4. RH-Firewall-1-INPUT – This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.
Packet Matching Rules
  1. Each packet starts at the first rule in the chain .
  2. A packet proceeds until it matches a rule.
  3. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).
Target Meanings
  1. The target ACCEPT means allow packet.
  2. The target REJECT means to drop the packet and send an error message to remote host.
  3. The target DROP means drop the packet and do not send an error message to remote host or sending host.
/etc/sysconfig/iptables

Edit /etc/sysconfig/iptables, enter:

You will see the default rules as follows:

Drop All Traffic

Find lines:

Update as follows to change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains:

Log and Drop Spoofing Source Addresses

Append the following lines before final COMMIT line:

Log And Drop All Traffic

Find the lines:

Update it as follows:

Open Port

To open port 80 (Http server) add the following before COMMIT line:

To open port 53 (DNS Server) add the following before COMMIT line:

To open port 443 (Https server) add the following before COMMIT line:

To open port 25 or 587 (smtp server) add the following before COMMIT line:

ONLY ALLOW SSH TRAFFIC FROM 192.168.1.0/24
ENABLE PRINTING ACCESS FOR 192.168.1.0/24
ALLOW LEGITIMATE NTP CLIENTS TO ACCESS THE SERVER
OPEN FTP PORT 21 (FTP)

Save and close the file. Edit /etc/sysconfig/iptables-config, enter:

Make sure ftp module is loaded with the space-separated list of modules

To restart firewall, type the following commands:

Edit /etc/sysctl.conf For DoS and Syn Protection

Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:

Alternate Configuration Option:


You can skip /etc/sysconfig/iptables file and create a shell script from scratch as follows:

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us