Basic iptables Configuration

It’s always a good idea to setup a local firewall on hosts that are on unprotected networks. The internet “winds” blow harder and harder each day, and it’s only a matter of time before some daemon has an exploit that gets taken advantage of. I use CentOS 5 for all my web servers, and here is an example of the script I use to create a DEFAULT TO DENY set of firewall rules. This script generates a file called iptables in /etc/sysconfig.

I used to create a special rule for MySQL that only allowed connections from my own network, but lately I have been omitting this rule and tunneling the connection through ssh instead. That is why it is commented out in the script below.

### SCRIPT ### #!/bin/sh # Drop all incoming traffic /sbin/iptables -P INPUT DROP # Drop all forwarded traffic /sbin/iptables -P FORWARD DROP # Allow all outgoing traffic /sbin/iptables -P OUTPUT ACCEPT # Allow returning packets /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow incoming traffic on port 80 for web server /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Allow MySQL only from a certain network /sbin/iptables -A INPUT -p tcp -m tcp -s XXX.XXX.XXX.0/24 --dport 3306 -j ACCEPT # Allow local traffic /sbin/iptables -A INPUT -i lo -j ACCEPT # Allow incoming SSH on port 22 #/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # Allow ping /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT /sbin/iptables-save > /etc/sysconfig/iptables chmod go-r /etc/sysconfig/iptables /sbin/sudo service iptables restart ### /SCRIPT ###

Here is what /etc/sysconfig/iptables looks like after running this script:

# Generated by iptables-save v1.3.5 on Wed Dec 31 13:47:40 2008 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [12:8972] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT COMMIT # Completed on Wed Dec 31 13:47:40 2008

After you are done, make sure you have iptables setup to start when the system boots.

# /sbin/chkconfig --list | grep iptables


iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off

If it’s not on, just run:
/sbin/chkconfig iptables on

This entry was posted on Wednesday, December 31st, 2008 at 8:05 pm and is filed under Data and Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

cybervegan

Jun 12th

Your script would cut off SSH on port 22, where it says:

# Allow incoming SSH on port 22
#/sbin/iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT

In your article, you said that you had the MySQL port rule commented out, but that seems to be still active:

# Allow MySQL only from a certain network
/sbin/iptables -A INPUT -p tcp -m tcp -s XXX.XXX.XXX.0/24 –dport 3306 -j ACCEPT

Did you comment out the wrong line?
building solaris-based enterprise router-firewall project - SUN Solaris - The UNIX and Linux Forums

Jun 21st

[...] on Solaris 10 sonia hamilton – life on the digital bikepath – sonia@snowfrog.net and Basic iptables Configuration|spiralbound.net [...]

spiralbound.net