Firewall Configuration in Linux in Centos 6.2
-
@thanksajdotcom I need to configure basic firewall in Linux OS and to test the ports are working from the WAN to LAN after configuring the firewall.This is my objective
-
This is what we need:
cat /etc/sysconfig/iptables -
@Lakshmana said:
@StrongBad How to do a block diagram for designing the Firewall?
What is a block diagram?
-
@Lakshmana said:
@StrongBad I did not configured IP table.I need to configure IP table tommorow only.I dont know how to configure Iptable any link anyone provide.
It's not simple. You cannot simple "configure." Please provide us the listing of your current configuration. IPTables is pretty easy, but you have to work with the text file and edit it. So we need to know what you have in order to fix it.
-
@StrongBad It is the diagram to show how the components(firewall) will be connected in a network
-
@Lakshmana said:
@StrongBad It is the diagram to show how the components(firewall) will be connected in a network
What is the purpose, though? You just open or close ports. Why would you use a diagram? I think that you are making something very easy into something very complicated.
-
Here is what a healthy configuration file looks like for CentOS 6. Just use this if what you state as your needs above is all that you need....
Just put this into /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT -
Then to make it take effect...
/etc/init.d/iptables restart -
To be clear, this is the default. You would only need to do this if you've altered IPTables already. SSH (22) and ICMP (Ping) are open by default as soon as you install. So someone has broken your system if you need to do this.
-
@StrongBad said:
@Lakshmana said:
@StrongBad It is the diagram to show how the components(firewall) will be connected in a network
What is the purpose, though? You just open or close ports. Why would you use a diagram? I think that you are making something very easy into something very complicated.
Exactly. What is a block diagram? What is it's purpose? How does it prove to be useful to you or someone else? You want to "configure" a firewall, but every business is different. Their needs are different. You need to tell us what ports you need open, what you don't, even what is the purpose of the server, such as a web server or a jump server, etc. You've given us nothing in terms of info but want us to simply tell you how to do something that is not simple when you have no information.
-
There you go, SAM provided a complete configuration. If you apply that, it will completely overwrite anything that you have already. If you want to have us help you keep the server working as it does now but also do what you want, you have to work with us and not ask for block diagrams or other unrelated items. Only your IPTables listing matters. I have no idea what you are imagining that you will accomplish with diagrams, but they don't have a place here.
-
@thanksajdotcom Sorry dont get angry.The server is web server.SMTP,SNMP,POP3,IMAP needs tp be open
-
@Lakshmana said:
@thanksajdotcom Sorry dont get angry.The server is web server.SMTP,SNMP,POP3,IMAP needs tp be open
Whoa, that's very different than what you asked for. If you follow my directions you will blow away your ports and lose all of those services!!
-
@scottalanmiller Thank you Scott.I will try this tommorrow and say about this in detail.Do you have explanation for the above mentioned commands because I understood in less
-
This is why it is important to listen. @strongbad asked you for a copy of your existing configuration so that we could help you. Lacking that, providing what you asked for was the next best thing. But what you asked for would have completely broken the server.
Everyone is trying to help you. When they say that providing your existing IPTables file is necessary for us to help, they are not kidding. It's imperative. Anything else is very dangerous. IPTables is not hard to do, but it is very hard to do blindly.
-
@Lakshmana said:
@thanksajdotcom Sorry dont get angry.The server is web server.SMTP,SNMP,POP3,IMAP needs tp be open
Ok, I'm not angry, but I'm frustrated. What you just gave us was useful. However, we asked several times for the info and you kept not giving it to us. If it's a language barrier, I'm sorry but I was being as simple and plain as possible.
SNMP = 161
SMTP = 25 (unsecured), 465 (secured), 587 (secured)
POP3, = 110 (unsecured), 995 (secured)
IMAP = 143 (unsecured), 993 (secured)Unless you've blocked them in IPTables already, they should be open.
-
CentOS does have a tool for adding ports, but other than pointing you to the tool, it doesn't really let us help you. It's not terribly hard to use, but doing an IPTables edit allows us to completely make the change for you. One of the beauties of text configuration files is that we can completely do the fix, not just tell you where to look.
But if you want to try the TUI, here is the link...
system-config-firewall-tui -
@scottalanmiller Ok Scott.I have not noted the things properly so only the confusion came here.Sorry to one and all
-
@thanksajdotcom said:
@Lakshmana said:
@thanksajdotcom Sorry dont get angry.The server is web server.SMTP,SNMP,POP3,IMAP needs tp be open
Ok, I'm not angry, but I'm frustrated. What you just gave us was useful. However, we asked several times for the info and you kept not giving it to us. If it's a language barrier, I'm sorry but I was being as simple and plain as possible.
SNMP = 161
SMTP = 25 (unsecured), 465 (secured), 587 (secured)
POP3, = 110 (unsecured), 995 (secured)
IMAP = 143 (unsecured), 993 (secured)Unless you've blocked them in IPTables already, they should be open.
They are all blocked by default. Only SSH and ICMP are open by default on CentOS. RHEL / CentOS is secure by default.
-
If you're SSHing into the box, run
cat /etc/sysconfig/iptablesHighlight the output in whatever client you're using to SSH, likely PuTTY, and paste it here. Please. We can't help you without that info.
