Iptables

From Wiki
Revision as of 18:29, 4 February 2011 by Scott (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Here is an example firewall that blocks out everything except ssh, http, and vnc ports 5901 to 5920 on the local subnet (this file would be found at /etc/sysconfig/iptables on Red Hat): 

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended (but has been performed!)
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 123.45.67.0/24 -m state --state NEW -m tcp -p tcp --dport 5901:5920 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Changes to this file won't be reflected until the iptables service is restarted: 

/etc/init.d/iptables restart

check with 

iptables -L -n
Retrieved from "https://wiki.scott5.org/index.php?title=Iptables&oldid=443"