Public Cloud Forum HOWTO: Use iptables with CentOS 7

Replies 2 replies
Subscribers 54 subscribers
Views 123811 views
Users 0 members are here

Options

Thank you for visiting the Rackspace Community

The The Community is live! Post new content or topics so our teams can assist.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

HOWTO: Use iptables with CentOS 7

RackerEmeritus over 3 years ago

Starting with RHEL 7 / CentOS 7, firewalld was introduced to manage iptables. As such, you will either need to use firewall-cmd commands or disable firewalld and enable iptables. If you prefer to use the classic iptables setup, then this article will show you how to do just that.

The first step is to stop and mask the firewalld service (i.e., the service you do not want to use):

$ systemctl stop firewalld
$ systemctl mask firewalld

Then, install the "iptables-services" package (if it is not already installed):

$ yum install iptables-services

Enable the service to start at boot-time:

$ systemctl enable iptables
$ systemctl enable ip6tables

You can now either add iptables rules from the CLI (e.g., `iptables -I INPUT ...`) or create/edit your /etc/sysconfig/iptables file to look something like the following (very basic with ports 22 and 80 open):

$ cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [214:43782]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

$cat /etc/sysconfig/ip6tables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [214:43782]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

If you are saving your rules in the /etc/sysconfig/ip{,6}tables files, you will then need to run the following commands:

$ systemctl restart iptables
$ systemctl restart ip6tables

Next, check that the iptables service is "active" with:

$ systemctl status iptables
$ systemctl status ip6tables

Check your iptables rules with:

$ iptables -L
$ ip6tables -L

and that your server is listening on those ports you opened (22 and 80 in the above example):

$ netstat -plant

and you can query the systemd journal for a "log" of the changes you made to the iptables service with:

$ journalctl -f -u iptables.service
$ journalctl -f -u ip6tables.service

If you reboot your server after the above, your iptables rules should be saved and automatically re-loaded again.

That's it!

jamieburchell over 2 years ago

What about ip6tables / IPv6? Is this open by default to the world if not configured given nodes are assigned an IPv6 address? Also in the example rules there is no rule to reject anything and the default policy is accept?
Cancel
Up 0 Down

Reply

Cancel
RussellT over 2 years ago in reply to jamieburchell

Hello Jamie!

Thanks for your response. You are correct on both counts. If only iptables rules are created, any IPv6 addresses will be left open with unimpeded access, and the sample rules were missing a REJECT rule.

I have edited the original article to reflect this information. Thanks for bringing that to our attention!

Russell T.
Cancel
Up 0 Down

Reply

Cancel

HOWTO: Use iptables with CentOS 7

About Rackspace

Blog

Support

Legal