In linux your kernel/operating system has a built in firewall and router... you just have to figure out how to configure it (not always that easy)...
//to see your current firewall and save the configuration to a file iptables -L -n --line-numbers -v iptables-save > current-firewal.txt
iptables -I RH-Firewall-1-INPUT 7 -p tcp --dport 7777 -j ACCEPT
Insert into line 7 of chain rule "RH-Firewall..." a tcp port 7777 which jumps to table ACCEPT
NPUT - All packets destined for the host computer.
OUTPUT - All packets originating from the host computer.
FORWARD - All packets neither destined for nor originating from the host computer,
but passing through (routed by) the host computer. This chain is used if you are using your computer as a router.
iptables/netfilter uses a logical chain of rules (policies) to determine what to do with traffic
Basically you will have
Chain INPUT (policy ACCEPT) (everything is accepted table/rule) policyname all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
policyname all anywhere anywhere
yum install iptables or rpm -q iptables
lsmod | grep ip_tables //see if iptables is installed
BASIC OPERATIONS
--append / -A chain //Append to chain --delete / -D chain //Delete matching rule from chain --delete / -D chain rulenum //Delete rule rulenum (1 = first) from chain
IF YOU'RE LOGGED IN VIA CONSOLE YOU CAN REMOVE EVERYTHING (IF CONNECTED VIA SSH YOU'LL DISCONNECT YOURSELF)
iptables --flush - Flush all the rules in filter and nat tables iptables --table nat --flush iptables --delete-chain - Delete all chains that are not in default filter and nat table iptables --table nat --delete-chain
//IF WORKING WITH SSH, use "screen", RUN THE COMMANDS AS A SCRIPT AND INCLUDE THE FOLLOWING:
!/bin/bash
iptables --flush
iptables --delete-chain
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
EXPORTING AND SAVING IPTABLES
iptables-save > /root/dsl.fw
iptables-restore < /root/dsl.fw
/etc/init.d/iptables save
If you are using Debian Linux open /etc/network/interfaces:
vi /etc/network/interfaces
Append the line to eth0 section: post-up iptables-restore
THE RESULT IS ACCEPT TCP SSH FROM ANYWHERE, OTHERWISE DROP (INCLUDING PING!), NO FORWARDING, ALL OUTPUT OK
[root@centos5 ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
/sbin/service iptables save //this will save them after you reboot
iptables -L //list the iptables rules
iptables -L OUTPUT --line-numbers //list the rules from table OUTPUT with line numbers!
if you're working at the console in front of the machine...
service iptables start service iptables stop service iptables restart
chkconfig iptables on //ensures iptables is on at boot time
//this would be draconian - no input or output system! kill your own ssh session! =p note that after running these commands SSH will fail, but iptables -L will show the old listing!
!/bin/bash
iptables --flush
iptables --delete-chain
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
an improved "reset" script, to ensure that the the DROP's above are slightly changed...
!/bin/bash
iptables --flush
iptables --delete-chain
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
some manual commands
//these lines append to the end of your chain iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 7777 -j ACCEPT iptables -A OUTPUT -p tcp --source-port 7777 -j ACCEPT
//insert into table RH-Firewall... rule 9 to jump to ACCEPT when destination port is tcp 7777 iptables -I RH-Firewall-1-INPUT 9 -p tcp --dport 7777 -j ACCEPT
//delete the rule we just inserted iptables -D RH-Firewall-1-INPUT 9
/etc/rc.d/init.d/iptables stop //stop it and see if you can connect, if so, problem is firewall
SETUP IPTABLES LOGGING!
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
A MORE REFINED FIREWALL ALLOWING SSH, 127.0.0.1 TO CONTACT ITSELF, ETC.
!/bin/bash
iptables --flush
iptables --delete-chain
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
nano /etc/sysconfig/iptables
read very carefully the lines there and manual modification does not seem to work =(
Firewall configuration written by system-config-securitylevel
Manual customization of this file is not recommended.
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
//TO ONLY SLIGHTLY MODIFY THE DEFAULT REDHAT/CENTOS IPTABLES
!/bin/bash
service iptables restart
iptables -A RH-Firewall-1-INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
/sbin/service iptables save
modifications on a default INPUT, OUTPUT, ACCEPT firewall
FIRST, always allow loopback interfaces as many applications "talk to themselves" using the loopback ethernet device... (ifconfig shows you the interface names, -i...)
iptables -I INPUT 1 -i lo -j ACCEPT
Append a rule allowing established sessions (on all interfaces, all protocols, all ports)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
if you're not using conntrack (connection tracker plugin)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Insert a rule at line 2 allowing standard ssh port
iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT
Allow non standard ssh port
iptables -I INPUT 2 -p tcp --dport 2345 -j ACCEPT
DENY at the end...
iptables -A INPUT -j DROP
Note that this has removed the ICMP ping ability... so let's add it back
iptables -I INPUT 2 -p icmp -j ACCEPT