Configuring iptables in CentOS 7

All operating systems based on Linux kernel has a built-in firewall that controls and to filter incoming and outgoing traffic based on user-defined or platform rules. In CentOS 7 by default, this function is performed by the utility iptables, interacting with built-in firewall, netfilter. Sometimes a system administrator or network Manager has to configure this component by writing the appropriate rules. In today’s article, we’d like to talk about the basics of configuration of iptables in the above mentioned OS.

Custom iptables in CentOS 7

The tool is available immediately after completing the installation of CentOS 7, but additionally you will need to install some services, which we’ll talk further. In this platform there is another built-in tool that performs the function of a firewall called FirewallD. To avoid conflicts in future work it is recommended to disable this feature. Detailed instructions on this subject read our other material on the following the link.

Read more: Disable firewallD in CentOS 7

As known, the system can apply both IPv4 and IPv6. Today we will focus on the example of IPv4, but if you want to implement a different Protocol will be required instead of the command iptables in the console to use ip6tables.

Installation services iptables

Priority should be added to the system, additional components under consideration today utility. They will help in configuring rules and other settings. Download from the official repository, so will not take much time.

All further actions will be carried out in the classic console, so run it by any convenient method.

For the installation of services meets the command sudo yum install iptables-services. Enter it and press Enter.

Confirm the superuser account, putting password. Please note that when requesting sudo enter the characters in the string will never be displayed.

You will be prompted to add one package, confirm the action by choosing the option y.

Upon completion of the installation, check the current version of the tool: sudo iptables –version.

The result will appear in the new row.

Now the OS is completely ready for further configuration using the firewall utility iptables. We suggest to familiarize with the configuration of the points, starting with management services.

Stopping and starting services, iptables

Control of operation of iptables is required in those cases when it is necessary to test the effect of certain rules, or just restart the component. This is done using built-in commands.

Enter sudo service iptables stop and press Enterto stop the services.

To confirm this procedure, specify the root password.

If successful, the new line is displayed, indicating changes to the configuration file.

Starting services is practically the same, the string takes the form sudo service iptables start.

Like restart, start or stop utility available at any time, do not forget to return the inverse when it will be in demand.

Viewing and deleting rules

As mentioned earlier, management of the firewall is done by manually or auto-add rules. For example, some additional applications can access the tool by modifying certain policies. However, most of such actions is still done manually. View a list of all the current rules are available via the command sudo iptables-L.

In the displayed result will be information on the three chains: “INPUT”, “OUTPUT” and “FORWARD” — incoming, outgoing and forwarded traffic accordingly.

To determine the status of all chains by typing sudo iptables -S.

If seen, the rules don’t suit you, they are quite simply removed. The whole list is cleared so: sudo iptables-F. After the activation rules will be erased completely for all three circuits.

When you want to affect only the policy of one circuit is added to the string as an additional argument:

sudo iptables-F INPUT
sudo iptables-F OUTPUT
sudo iptables-F FORWARD

The lack of rules means that it does not apply any settings or filter traffic in any of the parties. Next, the system administrator independently sets the new parameters using the same console command and various arguments.

The reception and dropping of traffic in chains

Each chain is configured separately to allow or deny traffic. Putting a specific value, you can ensure that, for example, all inbound traffic will be blocked. This command should be sudo iptables –policy INPUT DROP, where INPUT is the name of the chain, and DROP — reset value.

Exactly the same settings for other circuits, for example, sudo iptables –policy OUTPUT DROP. If you need to set to accept traffic, then DROP changes to ACCEPT and it turns out sudo iptables –policy INPUT ACCEPT.

The allow and block ports

As you know, all network applications and processes are running on a certain port. By allowing or blocking certain addresses to control access of all network purposes. Let’s look at the forwarding port for example 80. In the”Terminal” will be enough to enter the command sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPTwhere -And — add a new rule, INPUT — specifying chain -P — a Protocol definition, in this case TCP and –dport is the destination port.

The same command applies to the port 22used by SSH service: sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT.

To block the specified port line is applied exactly the same, only at the end of ACCEPT is changed to DROP. The result is, for example, sudo iptables -A INPUT -p tcp –dport 2450-j DROP.

All these rules are entered into the configuration file and you can view them at any time. Remember, this is done through sudo iptables-L. If the port you want to allow network IP address line is modified slightly — after TPC is added -s and the address. sudo iptables -A INPUT-p tcp-s 12.12.12.12/32 –dport 22 -j ACCEPTwhere 12.12.12.12/32 — the desired IP address.

The blocking occurs on the same principle, changing the end value to ACCEPT to DROP. Then, for example, sudo iptables -A INPUT-p tcp-s 12.12.12.0/24 –dport 22 -j DROP.

Blocking ICMP

ICMP (Internet Control Message Protocol) is a Protocol that is part of TCP/IP and used to transfer error messages and emergencies when working with traffic. For example, when the requested server is not available, this tool performs the service function. Utility iptables allows you to block it through the firewall, and it can be done with the command sudo iptables -A OUTPUT-p icmp –icmp-type 8 -j DROP. It will produce blocking requests from your and to your server.

Incoming requests are blocked a little differently. Then you need to enter sudo iptables-I INPUT-p icmp –icmp-type 8 -j DROP. After activation, data rules, the server will not respond to ping requests.

Prevention of unauthorized actions on the server

Sometimes the server is subjected to DDoS attacks or other unauthorized actions by malicious parties. Proper configuration of the firewall will protect yourself from this kind of hacks. For a start, we recommend you ask the following rules:

Mount it in the console iptables -A INPUT -p tcp –dport 80-m limit –limit 20/minute –limit-burst 100 -j ACCEPTwhere –limit 20/minute — limit the frequency of positive results. The unit of measure you can specify your own, for example, /second, /minute, /hour, /day. –limit-burst number — a limit on the number of ignored packets. All values are set individually in the preferences of the administrator.

Then you can prevent the scanning of open ports to remove one of the possible causes of the break-in. Enter the command sudo iptables-N block-scan.

Then enter sudo iptables-A block-scan -p tcp —tcp-flags SYN,ACK,FIN,RST-m limit —limit 1/s-j RETURN.

The third command is: sudo iptables-A block-scan -j DROP. The expression block-scan in these cases, the name used chain.

Shown today settings are just the Foundation of the management tool firewall. In the official documentation of the utility you will find a description of all available arguments and options and will be able to configure the firewall specifically for your needs. We have examined the standard security rules that apply most often and in most cases mandatory.

Source: lumpics.ru