Howto use the CentOS Firewall/iptables

Actually the implementation of iptables is easier to handle on CentOS, compared to Debian.

They created three small scripts, that makes it quite easy to handle.

iptables-save
iptables-restore
service iptables save

Of course you still use the usual iptables syntax like this:

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

After you added some rules, you simply can export your iptables config:

iptables-save > firewall.txt

It will look similar to this one:

# Generated by iptables-save v1.4.7 on Mon Nov  7 12:11:59 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [23:6016]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov  7 12:11:59 2011

Just add, change or delete rules and re-import the file!

iptables-restore < firewall.txt

Try if the configuration is working and if you want to keep it on the next reboot just type:

//UPDATE:
Oh there was a little mistake in the code. In addition, today I had a problem with the new installed CentOS 6, where the restore command didn’t work properly, because not all the rules were applied. For that I figured out I had to update the system with a simple “yum update”. Seems like there was a corrupt package on my install CD.

service iptables save

Thx, to Derek for the explanations.

Leave a Reply

Your email address will not be published. Required fields are marked *