First of all, there are a couple of ways to edit the iptables infrastructure. One way is to use the /sbin/iptables binary file to append each line, or you can directly edit the /etc/sysconfig/iptables file.
There is basically no difference between the two methods, adding “THIS LINE” to the /etc/sysconfig/iptables file is the same thing by running the “/sbin/iptables THIS LINE” command. Just keep in mind that rules in iptables are respective, which means each rule is done in a chain order, the third line is only executed after the second line.
By default, when you install a CentOS system, the iptables will only allow connections to the 22nd port which is for obvious reasons : not to block your ssh connections. But if you change the ssh server port, or run httpd service, mail service or any other service, the default iptables rules will all incoming and outgoing connections.
The default settings a pretty much like this.
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Let’s say you install apache (or equivalent) on your server, then iptables will keep blocking 80 and 443 ports. To make them available, we have to add them to the ACCEPT chain before the REJECTION.
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPTLet’s say you want to block out a specific IP address, for any port, then you can add such line,
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.16.29 -j DROP
If you’d like to log the access attempts of this IP address, before the DROP line you can add,
-A INPUT -s 192.168.16.29 -m limit --limit 2/min -j LOG --log-prefix "STAY AWAY! "This line will log any attempt from the IP address 192.168.16.29 but will limit the logs. It will log any similar connection type as only two lines per minute, this way your log file won’t fill out the whole hdd. Also the “STAY AWAY!” will be on the log line, so that you can easily grep the relevant line from the log file. Don’t confuse this as a message, the line “STAY AWAY!” will NOT be sent to the blocked IP or anything, it will just be logged.
At the end our iptables file will be like this
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.16.29 -m limit --limit 2/min -j LOG --log-prefix "STAY AWAY! "
-A INPUT -s 192.168.16.29 -j DROP
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT