Install the iptables wihthout gui.
[root@server ~]# yum install iptables Install the iptables with Gui by run below command. [root@server ~]# yum install system-config-securitylevel-tui iptstate firstboot-tui iptables Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * addons: centos.maulvi.net * base: mirror.averse.net * epel: ftp.cuhk.edu.hk * extras: mirror.averse.net * updates: mirror.averse.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package firstboot-tui.i386 0:1.4.27.8-1.el5.centos set to be updated ---> Package iptables.i386 0:1.3.5-5.3.el5_4.1 set to be updated ---> Package iptstate.i386 0:1.4-2.el5 set to be updated ---> Package system-config-securitylevel-tui.i386 0:1.6.29.1-6.el5 set to be updated --> Processing Dependency: iptables-ipv6 for package: system-config-securitylevel-tui --> Running transaction check ---> Package iptables-ipv6.i386 0:1.3.5-5.3.el5_4.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================================= Package Arch Version Repository Size ============================================================================================= Installing: firstboot-tui i386 1.4.27.8-1.el5.centos base 189 k iptables i386 1.3.5-5.3.el5_4.1 base 233 k iptstate i386 1.4-2.el5 base 27 k system-config-securitylevel-tui i386 1.6.29.1-6.el5 base 254 k Installing for dependencies: iptables-ipv6 i386 1.3.5-5.3.el5_4.1 base 161 k Transaction Summary ============================================================================================= Install 5 Package(s) Upgrade 0 Package(s) Total download size: 864 k Is this ok [y/N]: y Downloading Packages: (1/5): iptstate-1.4-2.el5.i386.rpm | 27 kB 00:00 (2/5): iptables-ipv6-1.3.5-5.3.el5_4.1.i386.rpm | 161 kB 00:01 (3/5): firstboot-tui-1.4.27.8-1.el5.centos.i386.rpm | 189 kB 00:03 (4/5): iptables-1.3.5-5.3.el5_4.1.i386.rpm | 233 kB 00:03 (5/5): system-config-securitylevel-tui-1.6.29.1-6.el5.i386.rpm | 254 kB 00:04 --------------------------------------------------------------------------------------------- Total 60 kB/s | 864 kB 00:14 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : iptables 1/5 Installing : iptables-ipv6 2/5 Installing : system-config-securitylevel-tui 3/5 Installing : iptstate 4/5 Installing : firstboot-tui 5/5 Installed: firstboot-tui.i386 0:1.4.27.8-1.el5.centos iptables.i386 0:1.3.5-5.3.el5_4.1 iptstate.i386 0:1.4-2.el5 system-config-securitylevel-tui.i386 0:1.6.29.1-6.el5 Dependency Installed: iptables-ipv6.i386 0:1.3.5-5.3.el5_4.1 Complete! Display Default Iptables rules: [root@server ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
To start, stop, and restart iptables, you can run below commands:
[root@server ~]# service iptables start [root@server ~]# service iptables stop [root@server ~]# service iptables restart To get iptables configured to start at boot, use the chkconfig command: [root@server ~]# chkconfig iptables on Check the iptables status whether iptables is running or not with the below command: [root@server ~]# service iptables status Firewall is stopped. You can view the iptables manual by run below command: [root@server ~]# man iptables Add below line to enable certain port/programs to pass through firewall such as: 22 = SSH 80 = Web service 443 = SSL Web service 25 = Sendmail or postfix 3306 = MySQL service 10000 = Webmin service -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT New configuration of the iptables should be like this. [root@server ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT You can view the iptables status by run the below command to see which port are currently open. [root@server ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000 15 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icm