This document is mostly for my own purposes. I don’t even think this is the best way to run the firewall, it’s just the way I happened to adapt.
My friends tell me ipchains was good software. Unfortunately the guy who wrote iptables, which emulates the features of ipchains, wasn’t at that same skill level, and the implementation shows it. I know I struggled with it a bit.
I decided to run a local firewall on my HP SiteScope server because a serious security issue was found with our version’s HTTP server such that it was advisable to lock it down to only those administrators who need access to the GUI.
This was actually implemented on Redhat v 5.6, though I don’t suppose it would be much different on CentOS.
December 2013 update
I also tried this same script provided below on a Redhat 6.4 OS – it worked the exact same way without modification.
The main thing is that I maintain a file with the “firewall rules.” I call it iptables. So I need to remember from invocation to invocation where I store this master file. Here are the contents:
#!/bin/sh # DrJ, 9/2012 # inspired by http://wiki.centos.org/HowTos/Network/IPTables # flush all previous rules export PATH=$PATH:/sbin iptables -F # # our main rules here: # # Accept tcp packets on destination port 8080 (HP SiteScope) from select individuals # DrJ: office, home, vpn iptables -A INPUT -p tcp -s 192.168.76.56 --dport 8080 -j ACCEPT iptables -A INPUT -p tcp -s 10.2.6.107 --dport 8080 -j ACCEPT iptables -A INPUT -p tcp -s 10.3.13.138 --dport 8080 -j ACCEPT # # the server itself iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8080 -j ACCEPT # # set dflt policies # for logging see http://gr8idea.info/os/tutorials/security/iptables5.html #iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop ' # this is a killer! #iptables -P INPUT DROP # just drop what is really the problem... iptables -A INPUT -p tcp --dport 8080 -j DROP iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # # access for loopback iptables -A INPUT -i lo -j ACCEPT # # Accept packets belonging to established and related connections # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # Save settings # /sbin/service iptables save # # List rules # iptables -L -v
Of course you have to have iptables running. I do a
$ sudo service iptables status
to verify that. If its status is “not running,” start it up.
As mentioned in the comments I tried to be more strict with the rules since I’m used to running firewalls with a DENY All rule, but it just didn’t work out well for me. I lost patience and gave up on that and settled for dropping all traffic to TCP port 8080 except the explicitly permitted hosts, which is good enough for our immediate needs.
This is a simple example of a way to use iptables. It’s probably not the best example, but it’s what I used so it’s better than nothing.