Setup and Configure Basic iptables on CentOS 7 Linux system

In this article we will setup and configure Basic iptables on Linux systems (RPM Family “Redhat 7/CentOS 7/Scientific Linux 7”). This is the first step every experienced sysadmin must do Just after finishing installing the Linux OS “any member in any Family of Linux systems”. I’ll go and configure the iptables rules on RPM Linux Family releases 7 “CentOS 7”.

In RPM Linux Family release 7 iptables firewall is not the default firewall, instead of it Redhad/CentOS is using Firewalld as the default firewall in any installation type “Minimal installation, Server installation, Server with GUI installation, etc..”. This require us to install additional package and disable the exiting firewalld on Redhat 7 / CentOS 7 / Scientific Linux 7 Linux systems.

We will learn how to configure iptables for basic usage. Set the default chain policy for INPUT, OUTPUT, and FORWARD chains. We will learn how to start, stop, flush and restart the service, how to secure CentOS 7 after the installation process, and how to save our rules for loading it at Boot time “make a persistent rule”.

So, Let’s start.

What is Iptables?

Iptables is an administration tool for IPv4 packet filtering and NAT. It’s a simple, a fast, and a powerful firewall installed on most Linux distributions. It’s a tool to secure, filter out, and block Internet traffic from accessing your Linux OS.

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

We will focus on the use of the default table “filter table”. All our rules in this article will be in this table. It contains the built-in chains INPUT, FORWARD, and OUTPUT. Here’s their definitions:

INPUT: Packets is going to be locally delivered “accepted by Linux OS”.
FORWARD: Packets being routed through the box “send to another interface”. Usually used when you setup Linux as router.
OUTPUT: Packets sent from the machine itself will be visiting this chain.

A firewall rule specifies criteria for a packet and a target. If the packet does not match one rule, the next rule in the chain will be examined; if it does match,then the packet’s target will be checked to determine what action will be taken to that packet. I’ll use three targets ACCEPT, DROP, and REJECT. Here’s their definitions:

ACCEPT means to let the packet through.
DROP means to drop the packet on the floor, and do not send any response.
REJECT means to drop the packet on the floor, and send a message as a response.

Step 1: Installing the required Linux packages

Iptables is not the default firewall in RPM Linux family release 7, so we need to disable the existing firewalld “if exists”. Run the following command to check the status of firewalld service:

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
 Active: active (running) since Sun 2016-07-03 15:12:09 EET; 39min ago
 Main PID: 909 (firewalld)
 CGroup: /system.slice/firewalld.service
 └─909 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

From the above check we notice that firewalld is installed, and enabled by default, now run the following commands to stop, and disable firewalld service:

# systemctl stop firewalld.service
# systemctl disable firewalld.service

Now, we need to install, enable, and start iptables services on CentOS 7. Run the following commands:

# yum -y install iptables-services.x86_64
# systemctl enable iptables.service
# systemctl start iptables

At this point, we successfully installed, enabled, and started iptables on RPM Linux family release 7 “CentOS 7”, let’s proceed with some administrative commands.

Step 2: Iptables Administrative Commands

In this section, we will learn how to manage iptables service. Iptables service is managed via systemd system and service manager. So, we will use the systemctl command “which control the systemd system and service manager” to manage iptables with the following options (start|stop|reload|restart|condrestart|status), and will use the service command “which run a System V init script” to manage iptables with those two options (panic|save). Later we will use the command iptables “found in this location /usr/sbin/iptables ” to configure the iptables rules.

Option start is used to start the iptables service. This will apply all rules in /etc/sysconfig/iptables. To start the iptables service, run the following command:

# systemctl start iptables

Option stop is used to stop iptables service. This will remove all applied firewall rules, and will set the default policy for INPUT, FORWARD, and OUTPUT chains to ACCEPT. Your machine will be accessible on all running ports. To stop the iptables service, run the following command:

# systemctl stop iptables

Option reload will reload the currently persistent iptables rules found in /etc/sysconfig/iptables. To reload the iptables service, run the following: command:

# systemctl reload iptables

Option restart will restart iptables if it already running or will start iptables if it’s not running. To restart the iptables service, run the following:

# systemctl restart iptables

Option condrestart will restart iptables service if and only if the service is already running. To condrestart the iptables service, run the following:

# systemctl condrestart iptables

Option status will return the status of the service, does it enabled, running, and since when does the service UP. To show the status of the iptables service, run the following:

# systemctl status iptables

Hints:
1. For the next two options "panic, and save", I'll use service command to manage them, as they do not exist with systemctl.
2. You can manage all iptables service's options with service command, but I as systemctl is the default service manager in CentOS 7, I only will use service in a very limited situations.

Option panic will set all chains to DROP policy. This is useful in cases when your machine is under attack. This will DROP every incoming packets “established, and new”, every forwarded, and ever outgoing packets of course it will DROP your SSH connection. To panic the iptables service, run the following:

# service iptables panic

Option save will save currently applied (including manually applied rules through cli) iptables rules to /etc/sysconfig/iptables configuration file, making it persistent. To save your currently applied iptables rules, run the following:

# service iptables save
 iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

At this point you can deal with iptables service as you wish “start, stop, reload, etc..”. But there is some practical Hints you must be aware with when dealing with some of the above options.

Hints:
1. Reload, and Restart options will only apply the rules found in /etc/sysconfig/iptables "persistent rules" any non-persistent iptables rules "applied from cli using the iptables command" will not be applied.
2. Panic is very dangerous as it forces all chains policy to be DROP, it removes all applied rules, and closes all established connections to/from your server. You Must only run this command if and only if you are able to access your physical machine "connected through a native terminal device tty". If you are connected remotely to your machine "connected through pseudo terminal device pty i.e using any remote terminal program xterm, screen, or ssh", You will lose the connection to you server.

Step 3: A Look at the default applied iptables rules

Now, after we introduced how to manage the iptables service, it’s time to secure your CentOS 7 box. Let’s take a look at the default applied rules found in /etc/sysconfig/iptables.

# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

From the above output, we see that the existing rules applied for filter table, and the default policy is ACCEPT for the three chains INPUT, FORWARD, and OUTPUT. You may have this question in your mind Because the default policy is ACCEPT for all chains, so any new connection to my box is allowed?. The answer is ” NO “. Only SSH, and ICMP connections are allowed by default, take a look again to the above file, you will notice existence of the last INPUT rule ” -A INPUT -j REJECT –reject-with icmp-host-prohibited ” this rule will reject all connections not allowed in any rule above it with one message “connect to address <your server address>: No route to host”.

Let’s show an example, I’ll telnet from my laptop to port 25 “smtp” on my server. I didn’t open this port in any rule, and according to my explanation this connection will be rejected. run the following command:

$ telnet 192.168.12.45 25
Trying 192.168.12.45...
telnet: connect to address 192.168.12.45: No route to host

The connection is rejected with “connect to address <your server address>: No route to host” message. If we changed the last INPUT rule to be “-A INPUT -j DROP “, and restarted the iptables service, then we run the telnet command again, we will not receive any message from the server, and the telnet will be always in trying state as follow:

$ telnet 192.168.12.45 25
Trying 192.168.12.45...

Step 4: Changing the default policy, and securing your Linux Box

Now. it’s time for securing your box, but because most of sysadmins are connecting remotely to their servers, I STRONGLY RECOMMEND TO ADD A CRON JOB TO STOP THE IPTABLES SERVICE EVERY 10 MINUTES WHILE YOU ARE WORKING. This to avoid loosing the connections to your server if you put a wrong iptables rule “only you will wait 10 minutes to gain access again”, run the following command to add the cronjob rule:

# crontab -e

And then add this cronjob and save the file:

*/10 * * * * /usr/bin/systemctl stop iptables

Now, we safely start securing our CentOS 7 box, first of all we can either use iptables command to modify the iptables rules, all added rules will be gone when the system boots “because the added rules are non-persistent”, and this will require us to run “service iptables save” when we finish to make the added rules persistent OR Go directly and edit “/etc/sysconfig/iptables” file, this will require us to run “systemctl restart iptables” to apply the added/modified iptables rules. Personally I prefer modifying the iptables file. So, let’s modify it to be like this one

# vim /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
COMMIT

Here’s what I did in the above file. First I changed the default INPUT, and FORWARD chain policy to DROP. This will drop any INPUT, and FROWARD packets that do not have any iptables rule allowing it. When any new packet is delivered to the INPUT or FORWARD chain, it will be checked against the existing iptables rules, if no match found the packet will be dropped “because of the default policy”. We only allow three iptables rules for incoming packets. We allow all established, and related packets exist before applying the new rules. Also, We allow packets generated from the local interface. Finally, We allow external packets for port 22 “packets for SSH service to be able to remotely manage the box”.

Any other packets not defined in the existing three rules, will be dropped. And this is the Basic iptables configuration for securing your Linux box.

Now, let’s apply those iptables rules, as we edited “/etc/sysconfig/iptables” file, we need to reload/restart the iptables service. Run the following command:

# systemctl restart iptables

Hints:
1. The iptables command has option -F, --flush [chain], this will flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
2. Do not run this command "iptables -F " using the above configuration, as this will remove all the applied iptables rule, and any new packets will be matched against the default chain policy, which is DROP for INPUT, and FORWARD chain. You will lose the SSH connection to your box. But if you can access your machine's console "connected through a native terminal device tty", you can run it. Anyway you can go and try it, as we have a cronjob that stop iptables every 10 minutes.
3. If you are using the iptables command to edit the iptables rule, to make your rules persistent run this command "service iptables save"

Finally, If everything is well “you did not lose the SSH connection to your server”, we need to remove the cronjob, we created previously. Run the following command to remove the cronjob rule:

# crontab -e

And then remove/comment out this cronjob you created previously, save the file, and exit. Also make sure that iptables service is running after removing the cronjob, run the following command again:

# systemctl restart iptables

Summary

In this article we have explained the meaning of iptables, also we have showed the default table “filter” and it’s three chains “INPUT, FORWARD, and OUTPUT” and their default installation policies “ACCEPT”. We showed you how to control the iptables service “i.e start, stop, restart, etc…” using a mix of systemctl, and service commands. We did our changes to secure our Linux box by direct modify “/etc/sysconfig/iptables” file. we mentioned one tip to use to avoid losing connections to your server if something wrong happened.

I hope this article is good enough for you.
See you in other articles.