Find the answer to your Linux question:
Results 1 to 6 of 6
So I have my first CentOS server for a personal website and I wanted to block a certain IP address. I was wondering If I add the rule Code: # ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2012
    Posts
    2

    Looking for information on iptables


    So I have my first CentOS server for a personal website and I wanted to block a certain IP address. I was wondering If I add the rule

    Code:
    # iptables -A INPUT -s 58.218.199.250 -j DROP
    # /sbin/service iptables save
    1. Would it block the IP from now on and save the rules?

    2. Would it ruin my current iptables configuration, I used the basic firewall application on the system to allow HTTP(80) and SSH(22) on my computer already.

    Thanks in advance for the help. Still unsure about how these chains work and if I should make a configuration script to do this, something like.

    Code:
    #!/bin/bash
    #
    # iptables example configuration script
    #
    # Flush all current rules from iptables
    #
     iptables -F
    #
    # Allow SSH connections on tcp port 22
    # This is essential when working on remote servers via SSH to prevent locking yourself out of the system
    #
     iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    # Allow HTTP for Apache
     iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    #
    #Drop The Spammy Hacker
     iptables -A INPUT -s 58.218.199.250 -j DROP
    # Set default policies for INPUT, FORWARD and OUTPUT chains
    #
     iptables -P INPUT DROP
     iptables -P FORWARD DROP
     iptables -P OUTPUT ACCEPT
    #
    # Set access for localhost
    #
     iptables -A INPUT -i lo -j ACCEPT
    #
    # Accept packets belonging to established and related connections
    #
     iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    #
    # Save settings
    #
     /sbin/service iptables save
    #
    # List rules
    #
     iptables -L -v

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Hi,

    The best thing to do is to start with the system provided iptbles configuration in /etc/sysconfig/iptables. If you use the iptables GUI (system-config-firewall, i think), it will create one for you. Then add your iptable rule to drop the IP address as you've shown. The important thing to remember is to only use the iptables GUI initially to set up a working iptables config file. Once you start to modify it, never use the GUI again as it will overwrite your modified config file.

    I've never used "service iptables save" before, but after looking at the init script, it appears to just write the file to /etc/sysconfig/iptables, so you should be good using it.

    You can always run this command to show the current iptables rules that the kernel is using:
    Code:
    iptables-save
    the output of it is also in an acceptable format to be used directly as /etc/sysconfig/iptables, too.

    If you have trouble getting the DROP rule to work (test it on a local ip that you can temporarily block), try using an input rule (-I) instead of append rule (-A) .

  3. #3
    awc
    awc is offline
    Just Joined! awc's Avatar
    Join Date
    Aug 2012
    Location
    North America
    Posts
    40
    Typically you have to tell your system to load the firewall rules you saved using iptables-save. This is usually done by adding a line to /etc/rc.local so it runs during startup.

    The whole process should go a little something like this:

    Code:
    $ sudo iptables-save > /etc/firewall.rules
    then add the following to the end of /etc/rc.local:

    Code:
    /sbin/iptables-restore < /etc/firewall.rules
    I'm pretty sure CentOS still uses rc.local for custom startup commands

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    You don't need to do this in CentOS (RHEL, Fedora, etc.). It is controlled by the initscript (/etc/init.d/iptables and ip6tables). Later (Fedora 15 and later, future RHEL, etc.) it is replaced by the systemd way of doing things. Anyway, the init script reads the /etc/sysconfig/iptables file and starts up the firewall based upon the rules there.

  5. #5
    awc
    awc is offline
    Just Joined! awc's Avatar
    Join Date
    Aug 2012
    Location
    North America
    Posts
    40
    Quote Originally Posted by atreyu View Post
    You don't need to do this in CentOS (RHEL, Fedora, etc.). It is controlled by the initscript (/etc/init.d/iptables and ip6tables). Later (Fedora 15 and later, future RHEL, etc.) it is replaced by the systemd way of doing things. Anyway, the init script reads the /etc/sysconfig/iptables file and starts up the firewall based upon the rules there.
    Hmmm, I didn't bother to look. I stand corrected.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Another thing to remember is the rules are rad from top to bottom. the -A (APPEND) flag will place that rule at the bottom of the chain. So in your case all the rules in the INPUT chain will be matched before the your new rule will be matched as it will be the last rule in the chain.

    If you are looking to make sure connections from this IP Address are dropped before anything else then you should use the -I (INCERT) flag and add it as such;

    Code:
    iptables -I 1 INPUT -s 58.218.199.250 -j DROP
    This will place the rule at the top of the chain as the first rule.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •