Configuring the network firewall using iptables
In this recipe, you'll learn how to replace FirewallD with the iptables service and perform basic firewall configurations. iptables was the default method for managing the firewall's settings in CentOS prior to version 7. Some administrators might prefer iptables because it's within their comfort level or maybe they have several older servers running in the data center and they want to maintain similarity as much as possible.
Getting ready
This recipe requires a CentOS system with a working network connection. You'll also need administrative privileges provided by logging in with the root account.
How to do it...
The following steps will allow you to replace FirewallD with the iptables service:
- Stop the FirewallD service and disable it:
systemctl stop firewalld systemctl mask firewalld
- Install the
iptables-servicespackage which contains the service:yum install iptables-services - Start the service and register it so that it will start automatically when the system is booted:
systemctl start iptables systemctl enable iptables
The following collection of commands will show you how to perform several basic configuration tasks using iptables:
- Use the
-Lflag to print the current configuration. Add the--line-numbersflag to display each rule's ID number alongside it:iptables -L --line-numbers - Use the following command to allow TCP traffic on port 80 from the
enp0s3interface through the firewall:iptables -A INPUT -i enp0s3 --dport 80 -p tcp -j ACCEPT - To remove the rule that allows TCP traffic on port 80, execute
iptables -L --line-numbersto find the rule's ID and then use the following (replace##with the rule's ID):iptables -D INPUT ## - Reload iptables after making configuration changes for them to be in effect:
systemctl restart iptables
How it works...
To replace FirewallD with the iptables service to manage the network firewall, we first stopped and disabled the FirewallD service; we don't want multiple firewall daemons running since it would lead to conflicts. FirewallD uses iptables behind the scenes so iptables is already installed, but the iptables service isn't. So, next we installed the iptables-services package:
yum install iptables-services
We then saw how to perform basic configurations to allow and disallow traffic. For example, the recipe presented the command to add a rule that allows TCP traffic through port 80:
iptables -A INPUT -i enp0s3 --dport 80 -p tcp -j ACCEPT
The -A argument indicates that we wish to add a firewall rule and is followed by the rule type. Possible values are INPUT, OUTPUT, and FORWARD, which apply to incoming traffic, outgoing traffic, and traffic that is routed, respectively (if the system is configured as a router, for example). Since INPUT is specified, our rule applies to incoming traffic on port 80.
The -i argument specifies the network interface that is monitored by the rule. In this case, the rule applies to enp0s3. Then, --dport specifies the traffic's destination port, in this case port 80, and -p specifies the transport protocol, for example, either TCP or UDP.
The -j argument is the target action for jump to. With iptables, rules are strung together to make chains of filtering logic. Imagine iptables checking traffic against each rule we've specified; if the first rule doesn't match, it goes on to check the next rule, and the next, until a match is found. When the matching rule is found, iptables stops checking and jumps to the desired state. Possible states are ACCEPT to accept the traffic, REJECT to actively deny the connection, and DROP to silently ignore it.
We also saw how to display the rules that are currently defined using the -L flag and that using --line-numbers will display an identifier alongside each rule:
iptables -L --line-numbers
iptables accepts or denies traffic based on the configured rules
Knowing a rule's identifier is convenient if we want to delete it. By providing -D, the rule type (INPUT, OUTPUT, or FORWARD), and the ID, we can succinctly remove a rule from the chain:
iptables -D INPUT 6
Alternatively, you can respecify the entire rule while substituting -A with -D to delete it:
iptables -D INPUT -i enp0s3 --dport 80 -p tcp -j ACCEPT
See also
Refer to the following resources for more information on working with iptables:
- How to Migrate from FirewallD to iptables on CentOS 7 (https://www.digitalocean.com/community/tutorials/how-to-migrate-from-firewalld-to-iptables-on-centos-7)
- How to List and Delete iptables Firewall Rules (https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules)
- 25 Most Frequently Used Linux iptables Rules (http://www.thegeekstuff.com/2011/06/iptables-rules-examples)
- Drop versus reject (http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject)