Configuring iptables firewall on CentOS / Redhat

Netfilter is a basic firewall for server Linux . It is included as part of the operating system and is counting on the default configuration thong.Firewall effect on this system is managed through a program iptables.Netfilter frequency filter packets in the kernel, before the software system or application-layer packet processing. 
Iptables Config File 
Default in RHEL / CentOS / Fedora iptables configuration file is: 
/ Etc / sysconfig / iptables 
View the rules (laws) default: 
Please type in the following command: 
iptables - line-numbers-n-L 
You will get the results returned with contents similar to the following: 
Chain INPUT (policy ACCEPT) 
num target prot opt ​​source destination 
1 RH-Firewall-1-INPUT all - 0.0.0.0 / 0 0.0.0.0 / 0 
Chain FORWARD (policy ACCEPT) 
num target prot opt ​​source destination 
1 RH-Firewall-1-INPUT all - 0.0.0.0 / 0 0.0.0.0 / 0 
Chain OUTPUT (policy ACCEPT) 
num target prot opt ​​source destination 
Chain RH-Firewall-1-INPUT (2 references) 
num target prot opt ​​source destination 
1 ACCEPT all - 0.0.0.0 / 0 0.0.0.0 / 0 
2 ACCEPT icmp - 0.0.0.0 / 0 0.0.0.0 / 0 icmp type 255 
3 ACCEPT udp - 0.0.0.0 / 0 224.0.0.251 udp dpt: 5353 
4 ACCEPT udp - 0.0.0.0 / 0 0.0.0.0 / 0 udp dpt: 53 
5 ACCEPT all - 0.0.0.0 / 0 0.0.0.0 / 0 state RELATED, ESTABLISHED 
6 ACCEPT tcp - 0.0.0.0 / 0 0.0.0.0 / 0 state NEW tcp dpt: 22 
7 ACCEPT tcp - 0.0.0.0 / 0 0.0.0.0 / 0 state NEW tcp dpt: 53 
8 REJECT all - 0.0.0.0 / 0 0.0.0.0 / 0 reject-with icmp-host-prohibited 
 
Turn on / off / reboot the firewall 
Use the following command: 
chkconfig iptables on 
service iptables start 
# Start laifirewall 
service iptables restart 
# Disable the firewall 
service iptables stop 
Learn more about iptables Firewall 
In iptables have all 4 types of events as follows: 

• INPUT: The incoming packets from the system ngoai.Su use this event to block the port (port) to send as 80,25,110 or source ip, subnet (such as 202.54.1.20/29).
• OUTPUT: The packets are generated from the system.
• FORWARD: The packet is sent through khac.Thuong equipment used in the case of Linux server installed as a router.Vi example, eth0 connected to ADSL / cable modem and eth1 connected to LAN. FORWARD use to send and receive packets from the LAN to access the Internet.
• RH-Firewall-1-INPUT: Customize event, it will be referred to three types of events on the INPUT, OUTPUT and FORWARD.

Process of packet processing: 

• Starting from the first rules
• Running until the packet matches a condition configured in the config.
• If there is a match in the rules, the packet will be processed by REJECT, ACCEPT, DROP.

The way to handle packet: 

• ACCEPT allows packets to pass through.
• REJECT remove and send the error message to send the packet source address.
• DROP deleted without notification packet to send the packet source address.

Configure / etc / sysconfig / iptables 
You can use vi or nano as follows: 
nano / etc / sysconfig / iptables 
The contents of the file will follow the form below: 
* Filter 
: INPUT ACCEPT [0:0] 
: FORWARD ACCEPT [0:0] 
: OUTPUT ACCEPT [0:0] 
: RH-Firewall-1-INPUT - [0:0] 
-A INPUT-j RH-Firewall-1-INPUT 
-A FORWARD-j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT-i lo-j ACCEPT 
-A RH-Firewall-1-INPUT-p icmp - icmp-type any-j ACCEPT 
-A RH-Firewall-1-INPUT-p udp - dport 5353-d 224.0.0.251-j ACCEPT 
-A RH-Firewall-1-INPUT-p udp-m udp - dport 53-j ACCEPT 
-A RH-Firewall-1-INPUT-m state - state ESTABLISHED, RELATED-j ACCEPT 
-A RH-Firewall-1-INPUT-m state - state NEW-m tcp-p tcp - dport 22-j ACCEPT 
-A RH-Firewall-1-INPUT-m state - state NEW-m tcp-p tcp - dport 53-j ACCEPT 
-A RH-Firewall-1-INPUT-j REJECT - reject-with icmp-host-prohibited 
COMMIT 
Block all packets: 
Find the line: 
* Filter 
: INPUT ACCEPT [0:0] 
: FORWARD ACCEPT [0:0] 
: OUTPUT ACCEPT [0:0] 
Modified to: 
: INPUT DROP [0:0] 
: FORWARD DROP [0:0] 
Record log and delete DROP packets from the specified source: 
Add the following lines to the configuration file, before the last COMMIT text file: 
-A INPUT-i eth0-s 10.0.0.0 / 8-j LOG - log-prefix "IP DROP SPOOF" 
-A INPUT-i eth0-s 172.16.0.0/12-j LOG - log-prefix "IP DROP SPOOF" 
-A INPUT-i eth0-s 192.168.0.0/16-j LOG - log-prefix "IP DROP SPOOF" 
-A INPUT-i eth0-s 224.0.0.0 / 4-j LOG - log-prefix "IP DROP Multicast" 
-A INPUT-i eth0-s 240.0.0.0 / 5-j LOG - log-prefix "IP DROP SPOOF" 
-A INPUT-i eth0-d 127.0.0.0 / 8-j LOG - log-prefix "IP DROP LOOPBACK" 
-A INPUT-i eth0-s 169.254.0.0/16-j LOG - log-prefix "IP DROP Multicast" 
-A INPUT-i eth0-s 0.0.0.0 / 8-j LOG - log-prefix "IP DROP" 
-A INPUT-i eth0-s 240.0.0.0 / 4-j LOG - log-prefix "IP DROP" 
-A INPUT-i eth0-s 255.255.255.255/32-j LOG - log-prefix "IP DROP" 
-A INPUT-i eth0-s 168.254.0.0/16-j LOG - log-prefix "IP DROP" 
-A INPUT-i eth0-s 248.0.0.0 / 5-j LOG - log-prefix "IP DROP" 

Record and log all packets DROP: 
Find the following line: 
-A RH-Firewall-1-INPUT-j REJECT - reject-with icmp-host-prohibited 
COMMIT 
Edit to: 
-A RH-Firewall-1-INPUT-j LOG 
-A RH-Firewall-1-INPUT-j DROP 
COMMIT 
Open port 
To open port 80 for webserver before COMMIT add the following to the end: 
-A RH-Firewall-1-INPUT-p tcp-m tcp - dport 80-j ACCEPT 
To open port 53 to the DNS server before COMMIT add the following to the end: 
-A RH-Firewall-1-INPUT-p tcp-m tcp - dport 53-j ACCEPT 
-A RH-Firewall-1-INPUT-m udp-p tcp - dport 53-j ACCEPT 
To open port 443 for HTTPS before COMMIT add the following to the end: 
-A RH-Firewall-1-INPUT-p tcp-m tcp - dport 443-j ACCEPT 
To open port 25 for SMTP server add the following line before COMMIT at the end: 
-A RH-Firewall-1-INPUT-p tcp-m tcp - dport 25-j ACCEPT 
Only approved for use SSH from source ip 192.168.1.0/24: 
-A RH-Firewall-1-INPUT-s 192.168.1.0/24-m state - state NEW-p tcp - dport 22-j ACCEPT 
.... 
Save the file and restart iptables: 
# Service iptables restart 
# Iptables-VNL - line-numbers 
Hopefully this article can help you, help you understand more about the basic firewall system but very effective: iptables.