Join Log in
Score:1
Seung Hoon Paek avatar Server

Creating / Configuring Firewall using iptables

cn flag
Seung Hoon Paek

I want to set firewall using iptables.

The server is operating httpd service (httpd) The OS is Centos7, and below information is after install iptables-services, and start iptables without modify anything.

[root@iptables ~]# iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

AS you can see, in INPUT chain, Line num3, it seems server any opened.

But access to web page via browser is not working.

Is there anything i have to set?

as output of iptables-save (taken from the comment):

# Generated by iptables-save v1.4.21 on Thu Sep 16 13:41:53 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [527:50260]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Sep 16 13:41:53 2021
47
0 + 0
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Please, show output of `iptables-save`. It is painful to decipher how iptables -L displays things. For example, in your lines may be additional matches or commands, which aren't displayed this way and so on.
0
Reply
Seung Hoon Paek avatar
cn flag
Seung Hoon Paek
Hello, Thank you for your reply. Finally i figured out the cause . After command iptables-save, I got the cuase. Again, Thank you for your help. I Really appreciate.
0
Reply
Score:0
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

As I suspected, iptables -L hide the additional match, but iptables-save showed the naked truth. Your rule #3 matches only for lo — a loopback interface. This firewall only accepts connections to tcp/22 (SSH) from outside.

The simplest resolution will be:

iptables -I INPUT 4 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 5 -p tcp --dport 443 -j ACCEPT

You can additionally filter with conntrack and combine both rules into a single with multiport:

iptables -I INPUT 4 -m conntrack --ctstate NEW -p tcp -m multiport --dports 80,443 -j ACCEPT -m comment --comment "HTTP/HTTPS service"

Notice also the comment I added. Use comments for each rule and some day later you'll thank me for this advice, if your firewall grows to say more than 50 rules.

Don't use -m state. This is obsolete. It really uses -m conntrack under the hood, and it is more transparent to spell it like this explicitely.

Don't use iptables -L. As you've seen, it's output looks "prettier", and here advantages end, but also it fails to present all the needed details. The output of iptables-save looks less pretty, but it shows all the finest details, so always use the latter.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.