Basically, ‘iptables’ is the packet filter system in RHEL systems. The best way to know what is ‘iptables’ is well written on the man page. In this article, I will show some simple and basic ‘iptables’ configurations. The three default chains in the iptables are Input, Forward, and Output. The ‘iptables –L’ command will show the three default chains.
Right now, I haven’t made any configuration so all the fields are blank. The Input means the packets are coming to the system, Output means the packets are going out from the machine. If the machine acts as a router or a gateway it will forward packets. ‘policy ACCEPT’ means the firewall is in an unrestricted mode as it is doing nothing. To save the iptables configuration, the command is ‘iptables-save’. I will redirect the output to the ‘firewalloff’ file.
Now I will put a restriction for incoming packets. The command is ‘iptables –A INPUT –i lo –j ACCEPT’.
The command is appended for the INPUT chain, so it is ‘-A INPUT’, ‘-i’ for the interface, ‘lo’ is the local interface; so it will only include traffic from local or host-only interfaces. The total command can be interpreted as follows- For the input chain, any traffic from host-only interfaces is accepted.
-m= match, conntrack= connection tracker, ctstate= connection state
The complete command means if I establish a connection, the reply from the destination is accepted. For example, if I establish a connection with a mail server, the incoming traffic from the mail server is allowed.
Next, I will accept incoming packets for SSH.
p= protocol, dport= destination port, 22= port number of SSH
The meaning of the command is – If any traffic comes from port 22 of the tcp protocol, the packets are accepted.
Look at the iptables now
The command ‘iptables –nvL’ will show the output with interface, source, and destination address.
I will save these configurations to the ‘firewallon’ file.
Now I will configuration from the ‘firewalloff’ file and show the iptbales configurations.
Again I will restore the configuration from the ‘firewallon’ file.
‘iptables’ new rule can be added by editing the particular file. Here I will edit the ‘firewallon’ file to add a new rule.
The highlighted line means, whatever the module, protocol, or port are, if it doesn’t match with the explicitly mentioned rule(s), the incoming packets will be immediately dropped.
Iptables services are not by default installed. I will install iptables services.
The iptables configuration files are ‘iptables’ and ‘iptables-config’ which are located ‘/etc/sysconfig’ directory.
In CentOS 8 system, the default for packet filtering is firewalld service. I am going disable firewalld and enable iptables.
I will add a new rule by editing ‘iptables’ file.
The firewall rules are read from top to bottom. The higher the rule locates, the more it gets the priority.