[CentOS] A little iptables help

David Johnston david at littlebald.com
Wed Sep 28 14:57:19 UTC 2005


On Wed, 2005-09-28 at 08:54 -0400, James Pifer wrote:
> Wondering if anyone is willing to give me a little assistance with some
> firewall rules. I think what I'm looking for is fairly simple, and I've
> been trying to use webmin's firewall module without success.
> 
> I have a web server that I'd like to open up port 80 and forward a
> specific port for a select number of allowed ips. That's it. Everything
> else is dropped. 
> 
> allow: port 80
> allow: forward port 8000 for x.x.x.x to y.y.y.y
> 
> Anyone willing to assist with the rules? And lastly, how would I apply
> it in a way that it will always be in affect? If the machine reboots for
> example.

James,
I've found that "man iptables" is actually a fairly good introduction to
iptables.

For your setup, you probably need something along the lines of
   # iptables -I INPUT -p tcp --dport 80 -j ACCEPT
to allow global access to the web server, and similar lines for your
more limited access to port 8000.

As for making your changes permanent, "service iptables save" will store
your current iptables rules in /etc/sysconfig/iptables; this is the file
that "service iptables start" uses at boot time.  MAKE BACKUP COPIES
OF /etc/sysconfig/iptables EVERY TIME BEFORE YOU RUN service iptables
save JUST IN CASE YOU DON'T LIKE THE CHANGES.

You should check to make sure that the iptables service is set start at
boot time. You can do this by running "chkconfig --list iptables"; you
will get something like this:
    iptables       0:off  1:off  2:off  3:on   4:on   5:on   6:off

This example means "iptables will be started when entering runlevels 3,
4, or 5, and stopped when entering runlevels 0, 1, 2, or 6."  

Your server is most likely running at runlevel 3, unless you have a GUI
interface running on it.  The GUI is only necessary if your server is
also someone's desktop.  You can find out which runlevel your server is
set to use by running "grep ^id /etc/inittab"; you will get a line like
this:
    id:3:initdefault:

Look for the number after the first colon.

hth



More information about the CentOS mailing list