How to Use the iptables Firewall on a CentOS 6 Cloud Server?

10-01-2024 05:37:57

A firewall is a security tool that controls the incoming and outgoing network traffic, typically implemented through a series of rules. The purpose of a firewall is to protect our cloud servers from scans, sniffing, and attacks by hackers. Firewalls come in two types: hardware firewalls and software firewalls. On CentOS 6 cloud servers, the default installed firewall is iptables, a type of software firewall.

This article demonstrates the usage of iptables in a web application scenario. We will block all services except SSH, Ping, Web, DNS, and NTP, which are the most basic uses of iptables and essential knowledge for operations personnel. This article does not cover the use of IPv6 firewalls, as there is another tool called ip6tables for IPv6. It's also worth noting that in CentOS 7, iptables is no longer the default firewall and is replaced by firewalld, though iptables can still be reinstalled and enabled on CentOS 7.

We need to start with a cloud server running CentOS 6 and ensure that we can log in to the system with a root account.

Step One: Planning iptables Rules

In the demonstration environment of this article, the cloud server will provide web services only, not others like FTP, email, IRC, etc. The services, protocols, and ports we plan to open are listed in the following table, with all others being blocked.

Service	Protocol	Port
HTTP	TCP	80
HTTPS	TCP	443
SSH	TCP	22
NTP	TCP	123
DNS	TCP & UDP	53
Ping	ICMP	All

As mentioned, iptables controls network access through a series of rules. When network packets are sent to the cloud server, iptables checks and processes these packets according to these rules. If a packet meets a rule, other rules are bypassed. If no rules are met, iptables' default rules are used to process the packet.

Network packets are categorized into three types: INPUT, OUTPUT, and FORWARD. For these three types, we will adopt different treatments, which also serve as the default rules for iptables.

INPUT: Incoming packets might be safe or harmful, hence they need to be treated differently.
OUTPUT: Outgoing packets are usually considered safe, thus set to be accepted.
FORWARD: Forwarding packets generally serve no purpose, thus set to be dropped.

Step Two: Creating iptables Rules

Now, let's set up iptables firewall rules according to our plan. The following commands are executed after logging into the system with a root account, so ensure your login account has root privileges.

View current rules:

iptables -L -n

Clear current rules:

iptables -F; iptables -X; iptables -Z

Deny traffic from 127.0.0.0/8 except for loopback:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT

Block some common attacks:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Accept all established incoming connections:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept HTTP and HTTPS connections:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Accept SSH connections:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Accept NTP connections:

iptables -A INPUT -p udp --dport 123 -j ACCEPT

Accept DNS requests:

iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT

Allow Ping:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Finally, set the default rules for iptables:

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

Step Three: Saving iptables Rules

It's important to note that while the above settings are effective immediately, they are not permanent. If not saved, the rules will be lost after a system reboot. Therefore, we need to save the rules we've just set to the cloud server's hard drive. The command to save iptables rules is:

service iptables save

The iptables rules will be saved in the /etc/sysconfig/iptables file, which you can directly view or modify.

cat /etc/sysconfig/iptables

What if I'm Locked Out?

Since iptables rules are effective immediately, a misconfiguration might lock us out, preventing remote management of the cloud server. What to do in such a case? There are two solutions:

If you haven't saved the iptables rules yet, it's simple. Just go to the management center => Business Management => Cloud Server Management and reboot the cloud server.
If you have already saved the iptables rules, remember that you can still manage the cloud server through the console. Open Data Management Center => Business Management => Cloud Server Management => Console, enter your username and password to access the system, and execute the iptables -F command to clear all iptables rules, allowing remote access to the system again.

Search

Latest

What are the differences between cloud servers and dedicated servers?
23-02-2024 02:02:07
How to Test the Bandwidth and Speed of Your Cloud Server?
22-02-2024 03:19:32
Regarding IP Address Allocation, Changing IP Addresses, and Testing IPs in Cloud Server IP Address Management
22-02-2024 03:16:03
How to Change the DNS Server on a Linux Cloud Server?
22-02-2024 03:14:03
How to Install cURL on a Linux Cloud Server?
22-02-2024 03:11:58