Linux Tutorials - Herong's Tutorial Examples - v5.45, by Herong Yang
"iptables" Command on CentOS
This section provides a tutorial example on how to use 'iptables' daemon CLI to manage network firewall on older CentOS systems.
The best tool to manage the network firewall on CentOS systems is the "firewall-cmd" frontend tool. But if you want to use the backend tool, you can follow this tutorial to use the "iptables" command.
1. Make sure that I have the latest version of "iptables" installed with the "dnf info" command:
herong$ sudo dnf info iptables Installed Packages Name : iptables Version : 1.8.2 Release : 16.el8 Architecture : x86_64 Size : 2.3 M Source : iptables-1.8.2-16.el8.src.rpm Repository : @System From repo : anaconda Summary : Tools for managing Linux kernel packet filtering capabilities URL : http://www.netfilter.org/ License : GPLv2 and Artistic 2.0 and ISC Description : The iptables utility controls the network packet filtering code in the : Linux kernel. If you need to set up firewalls and/or IP masquerading, : you should either install nftables or this package. : : Note: This package contains the nftables-based variants of iptables and : ip6tables, which are drop-in replacements of the legacy tools.
2. Check all chains of security rules with the "iptables" command:
herong$ sudo iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:bootpc
3. Append new rules to make my computer more secure. Remember that "iptable" rules are compared sequentially. If a match is found, it will take the action and quit.
# allow to visit google.com Website herong$ sudo iptables -A OUTPUT -p tcp -d google.com -j ACCEPT # stop going out to any HTTP Websites herong$ sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP # stop going out to any HTTPS Websites herong$ sudo iptables -A OUTPUT -p tcp --dport 443 -j DROP # allow me to come in with SSH connection from my laptop herong$ sudo iptables -A INPUT -p tcp -s 192.168.1.11 --dport 22 -j ACCEPT # allow local computers access the Web server herong$ sudo iptables -A INPUT -p tcp --src-range 192.168.1.2-192.168.1.100 \ --dport 80 -j ACCEPT # stop everyone to come in with SSH connection herong$ sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j DROP # stop everyone to come in on any ports herong$ sudo iptables -A INPUT -j DROP
4. Save changes made in "iptables" permanently:
herong$ sudo /sbin/iptables-save
Note that "iptables" daemon is running on older CentOS systems instead of "firewalld". You can check its status with the "service" command:
herong$ sudo service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination ... Chain FORWARD (policy ACCEPT) num target prot opt source destination ... Chain OUTPUT (policy ACCEPT) num target prot opt source destination ...
Table of Contents
Cockpit - Web Portal for Administrator
SELinux - Security-Enhanced Linux
Setup Ethernet Connection on CentOS
Network Firewall Tools on CentOS
"firewalld" and "firewall-cmd" on CentOS
Manage Multiple Firewall Zones
"nftables" and "nft" on CentOS
"nmap" - Network Mapper on CentOS
Monitor Network Services on CentOS
"ifconfig" - Trace Routes to Remote Host
"traceroute" - Trace Routes to Remote Host
"netstat" - Display Network Statistics
SSH Protocol and ssh/scp Commands
Software Package Manager on CentOS - DNF and YUM
vsftpd - Very Secure FTP Daemon