By default the configuration file of iptables is located in /etc/sysconfig/iptables. It is a text file that that contains all the firewall rules.
Since this is basic explanation bellow you will find a configuration file that is suitable for most users.
"exact phrase" include -exclude
will give you more specific results
will give you more specific results
Simple IPTABLES configuration [2/2]
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 60000:65000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
So here the first seven lines are actually system configurations and it is not recommended to edit those.
I will start describing what the others do.
-A RH-Firewall-1-INPUT -i lo -j ACCEPT # - Allow local loopback services
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT # - Allow pings
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT # - authentication header
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT # - multicast DNS port
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # - rule that will allow connections on already established
Next eight lines describe which ports are to be opened. Here is what ports we have currently opened.
21 - FTP Server control channel
22 - SSH (Linux/Unix)
25 - SMTP
53 - DNS (needs udp as well as tcp)
80 - WWW Servers
110 - POP email server
6000:65000 - This is needed for Passive FTP mode.
Last line says that all other packets are to be dropped.
I will start describing what the others do.
-A RH-Firewall-1-INPUT -i lo -j ACCEPT # - Allow local loopback services
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT # - Allow pings
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT # - authentication header
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT # - multicast DNS port
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # - rule that will allow connections on already established
Next eight lines describe which ports are to be opened. Here is what ports we have currently opened.
21 - FTP Server control channel
22 - SSH (Linux/Unix)
25 - SMTP
53 - DNS (needs udp as well as tcp)
80 - WWW Servers
110 - POP email server
6000:65000 - This is needed for Passive FTP mode.
Last line says that all other packets are to be dropped.
|
- Simple IPTABLES configuration [2/2] - | |
RECOMMENDED TUTORIALS
Need a specific tutorial? Do not hesitate and submit a request!