Find the answer to your Linux question:
Results 1 to 4 of 4
Hey, I've got some trouble on a Centos 5 Server and I need to cut of some control. I need to protect everything except 22, 80 and 443. # Firewall ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2011
    Posts
    3

    IP Tables Trouble on CentOS 5


    Hey,

    I've got some trouble on a Centos 5 Server and I need to cut of some control.

    I need to protect everything except 22, 80 and 443.

    # Firewall configuration written by system-config-securitylevel
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    How can I do this?

    Thanks

  2. #2
    Just Joined!
    Join Date
    Mar 2005
    Location
    Charlotte, MI
    Posts
    8
    Simply add a little bit more to your current firewall file as follows:

    *nat
    -A PREROUTING -p tcp --dport 80 -j ACCEPT
    -A PREROUTING -p tcp --dport 443 -j ACCEPT
    -A PREROUTING -p tcp --dport 22 -j ACCEPT
    -A PREROUTING -p tcp -j DROP
    -A PREROUTING -p udp -j DROP
    COMMIT

    If iptables complains about "-j DROP" in those last two rules, you'll have to modify those two lines slightly. The newer kernels don't like DROP being in the nat table. If so, just change those two lines as follows:

    -A PREROUTING -p tcp -j DNAT --to 0
    -A PREROUTING -p udp -j DNAT --to 0

    What this will do is tcp ports 80, 443, and 22 will all be accepted. Anything else will be dropped, including udp access.

    -Maurice

  3. #3
    Just Joined!
    Join Date
    Jan 2011
    Posts
    3
    Excellent thank you,

    It seems that worked, I ran /etc/init.d/iptables condrestart and I got:

    Flushing firewall rules [OK]
    Setting chains to policy ACCEPT:filter [OK]
    Unloading iptables module [OK]
    Applying iptables firewall rules [OK]

    - I added your rules under the first block I spoke about in my first post - was that right?

    Also, does this block the inbound services and email etc? I need them open, but I think they are ports 110, and 443 arent they?

  4. #4
    Just Joined!
    Join Date
    Mar 2005
    Location
    Charlotte, MI
    Posts
    8
    Quote Originally Posted by wmguk View Post
    Also, does this block the inbound services and email etc? I need them open, but I think they are ports 110, and 443 arent they?
    Whatever additional ports you need open, just include more lines with those port numbers in them. Just be sure to keep the "DROP" lines last. If you put them first, everything will get blocked.

    For incoming email, you'll want port 25 open. Port 110 is for POP3 email. You'll use that when you are fetching email from your server.

    443 is not for email, other than when you are accessing a webmail service through a web browser and using HTTPS.

    If you wish to have most all of the popular email services open, you'll want to allow ports 25, 110, 143, 220, 465, 993, and 995. This will cover smtp, smtps, pop3, pop3s, imap2, imap3, and imaps.

    You can check to make sure the "DROP" lines were accepted by issuing the following command:

    iptables -t nat -L -n | less

    This will allow you to scroll up and down to view all the "nat" rules that are in use. Just hit q when finished looking.

    -Maurice

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •