"iptables" Command on CentOS

Provides a tutorial example on how to use 'iptables' daemon CLI to manage network firewall on older CentOS systems.

The best tool to manage the network firewall on CentOS systems is the "firewall-cmd" frontend tool. But if you want to use the backend tool, you can follow this tutorial to use the "iptables" command.

1. Make sure that I have the latest version of "iptables" installed with the "dnf info" command:

herong$ sudo dnf info iptables

Installed Packages
Name         : iptables
Version      : 1.8.2
Release      : 16.el8
Architecture : x86_64
Size         : 2.3 M
Source       : iptables-1.8.2-16.el8.src.rpm
Repository   : @System
From repo    : anaconda
Summary      : Tools for managing Linux kernel packet filtering capabilities
URL          : http://www.netfilter.org/
License      : GPLv2 and Artistic 2.0 and ISC
Description  : The iptables utility controls the network packet filtering code in the
             : Linux kernel. If you need to set up firewalls and/or IP masquerading,
             : you should either install nftables or this package.
             :
             : Note: This package contains the nftables-based variants of iptables and
             : ip6tables, which are drop-in replacements of the legacy tools.

2. Check all chains of security rules with the "iptables" command:

herong$ sudo iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

3. Append new rules to make my computer more secure. Remember that "iptable" rules are compared sequentially. If a match is found, it will take the action and quit.

# allow to visit google.com Website
herong$ sudo iptables -A OUTPUT -p tcp -d google.com -j ACCEPT

# stop going out to any HTTP Websites
herong$ sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP

# stop going out to any HTTPS Websites
herong$ sudo iptables -A OUTPUT -p tcp --dport 443 -j DROP

# allow me to come in with SSH connection from my laptop
herong$ sudo iptables -A INPUT -p tcp -s 192.168.1.11 --dport 22 -j ACCEPT

# allow local computers access the Web server
herong$ sudo iptables -A INPUT -p tcp --src-range 192.168.1.2-192.168.1.100 --dport 80 -j ACCEPT

# stop everyone to come in with SSH connection
herong$ sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j DROP

# stop everyone to come in on any ports
herong$ sudo iptables -A INPUT -j DROP

4. Save changes made in "iptables" permanently:

herong$ sudo /sbin/iptables-save

Note that "iptables" daemon is running on older CentOS systems instead of "firealld". You can check its status with the "service" command:

herong$ sudo service iptables status

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
...

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
...

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
...

Table of Contents

 About This Book

 Introduction to Linux Systems

 Cockpit - Web Portal for Administrator

 Process Management

 Files and Directories

 Users and Groups

 File Systems

 Block Devices and Partitions

 LVM (Logical Volume Manager)

 Installing CentOS

 SELinux - Security-Enhanced Linux

Network Connection on CentOS

 Setup Ethernet Connection on CentOS

 Network Firewall Tools on CentOS

 "firewalld" and "firewall-cmd" on CentOS

 Manage Multiple Firewall Zones

 "nftables" and "nft" on CentOS

"iptables" Command on CentOS

 "nmap" - Network Mapper on CentOS

 Monitor Network Services on CentOS

 Software Package Manager on CentOS - DNF and YUM

 Running Apache Web Server (httpd) on Linux Systems

 Running PHP Scripts on Linux Systems

 Running MySQL Database Server on Linux Systems

 Running Python Scripts on Linux Systems

 vsftpd - Very Secure FTP Daemon

 Postfix - Mail Transport Agent (MTA)

 Dovecot - IMAP and POP3 Server

 Email Client Tools - Mail User Agents (MUA)

 LDAP (Lightweight Directory Access Protocol)

 GCC - C/C++ Compiler

 Conda - Environment and Package Manager

 Tools and Utilities

 Administrative Tasks

 References

 Full Version in PDF/EPUB