IPTables Centos
Iptables rules
There are 2 ways to configure iptables to open up port 80. First is using the iptables command and second is by creating a configuration file. First check the existing iptables rules in effect. The command is quite simple. Here is a sample output.
[root@dhcppc2 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@dhcppc2 ~]#
As can be seen in the output, there is a REJECT line in the INPUT chain at the end that says, reject all. However the previous line allows to accept ssh connections so ssh is working. A little more verbose and numeric list can be seen using the v and n options along with the L option
[root@dhcppc2 ~]# iptables --line -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 273 22516 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 271 36456 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 172 packets, 24494 bytes) num pkts bytes target prot opt in out source destination [root@dhcppc2 ~]#
Open port 80
To accept http connections we need to add a rule at line number 5 and push the REJECT line below. Here is the command to do it.
# iptables -I INPUT 5 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
The above command will add a rule at line #5 stating that the firewall should accept incoming connections on port 80. Check the iptables rules again.
[root@dhcppc2 ~]# iptables --line -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 291 23868 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED 6 286 38524 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 608 bytes) num pkts bytes target prot opt in out source destination [root@dhcppc2 ~]#
Now we have the new tcp port 80 rule at line #5 and so now the http port is accessible from outer network.
However this change is temporary and would vanish if the server is rebooted. To make it permanent issue the iptables save command.
However this change is temporary and would vanish if the server is rebooted. To make it permanent issue the iptables save command.
[root@dhcppc2 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
The new rules are saved to the file /etc/sysconfig/iptables. Here is how the file looks
# Generated by iptables-save v1.4.7 on Fri Oct 25 10:33:46 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [39:6956] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Oct 25 10:33:46 2013
Now the change is permanent.
Alternatively you could directly edit the iptables configuration file and restart iptables and the same change would take effect.
Alternatively you could directly edit the iptables configuration file and restart iptables and the same change would take effect.
[root@dhcppc2 ~]# service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] [root@dhcppc2 ~]#
Tidak ada komentar :
Posting Komentar