How To Setup Iptables Firewall For A Web Server On CentOS

by lifeLinux on March 7, 2013

I have setup an web server using Apache on CentOS. How do I configure firewall using iptables to allow or block access to the web server under CentOS ? In Tutorial I will show you How do I do it.

What is iptables ?

iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables for Ethernet frames.

Setting up iptables

In most Linux distros including Redhat / CentOS Linux installs iptables by default. You can use the following procedure to verify that iptables has been installed. Open terminal and type the following command:

# iptables -V

Sample outputs:

iptables v1.4.7

You can use the following command to view the status of iptables command, enter:

# yum info iptables

Sample outputs:

Installed Packages
Name        : iptables
Arch        : x86_64
Version     : 1.4.7
Release     : 5.1.el6_2
Size        : 833 k
Repo        : installed
From repo   : anaconda-CentOS-201207061011.x86_64
Summary     : Tools for managing Linux kernel packet filtering capabilities
URL         : http://www.netfilter.org/
License     : GPLv2
Description : The iptables utility controls the network packet filtering code in
            : the Linux kernel. If you need to set up firewalls and/or IP
            : masquerading, you should install this package.
...

If the above message does not appear, then type the following command to install iptables

# yum install iptables -y

Configuration iptables for a web server

The default iptables configuration on CentOS does not allow access to the HTTP (TCP PORT # 80) and HTTPS (TCP PORT # 443) ports used by the Apache web server. You can do step by step to configure
Step 1: Flush or remove all iptables rules

# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X

Step 2: Set default rules

# iptables -P INPUT DROP
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT

Step 3: Allow access to HTTP (80) and HTTPS (443)

# iptables -A INPUT -i lo -j ACCEPT 
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT 
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Turn on and save iptables

Type the following two commands to turn on firewall:

# chkconfig iptables on
# service iptables save

Anti synflood with iptables

Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:

net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.netfilter.ip_conntrack_max = 1048576

And type the following command

# iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 --syn -m recent --set --name CHECK --rsource 
# iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 --syn -m recent --update --seconds 5 --hitcount 15 --rttl --name CHECK --rsource -j DROP 

Related Posts:

{ 2 comments… read them below or add one }

Linux Killer March 9, 2013 at 10:24 pm

Nice Tutorial LifeLinux 😉

Reply

yomakata June 5, 2013 at 9:25 am

I’ve try on your last to command and it’s failed. I did research and found it’s solved by add “-t nat”.

Reply

Leave a Comment

Previous post:

Next post: