Saturday, 2 November 2013

Iptables Setup and Firewall For a Web Server Using GUI/TUI tool



Firewall configuration GUI/TUI tool (recommend for new users)
The system-config-firewall command is a graphical user interface for setting basic firewall rules. You need to have KDE or Gnome installed on the system. Open a terminal and type the following command as root user:
# system-config-firewall
Sample outputs:


Select services such as WWW, SSH, HTTPS to open port for everyone. Click on Apply button. This tool will generate /etc/sysconfig/iptables as follows: 


                           Sample RHEL CentOS Linux /etc/sysconfig/iptables files

A note about text based config tool (recommend for remote server with ssh access)
The sysystem-config-firewall-tui is a command line tool without having the GUI installed on the server:
# system-config-firewall-tui
Sample outputs:
 





system-config-firewall-tui in action

Select Enabled and Press Tab to select "Customization" : 

Scroll down/up and select SSH, WWW, Secure WWW (HTTPS) and other required ports you wish to open. Finally, select Close button. Finally, press OK button to activate new firewall settings.

Type the following iptables command as root user to open port 80 / 443:
## open port 80 and 443 for everyone ##
/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

## save newly added firewall rules ##
/sbin/service iptables save

## verify new firewall settings
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v
/sbin/iptables -L INPUT -n -v | grep :80
/sbin/iptables -L INPUT -n -v | grep :443

The following rule allows access to port 80 and 443 only to 192.168.1.0/24
## Find an appropriate network block, and network mask
## representing the machines on your network which should operate as
## clients of the Apache Web-server

## Open port 80 and 443 for 192.168.1.0/24 subnet only ##
/sbin/iptables -A INPUT -s 192.168.1.0/24  -m state --state NEW -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 443 -j ACCEPT

## save newly added firewall rules ##
/sbin/service iptables save

## verify new firewall settings
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v
/sbin/iptables -L INPUT -n -v | grep :80
/sbin/iptables -L INPUT -n -v | grep :443

You can block/drop the IP address 202.54.1.1 or subnet 202.54.1.2/29 as follows using iptables:
## Block access to port 80 ##
iptables -A INPUT -s 202.54.1.1 -p tcp --dport 80 -j DROP
iptables -A INPUT -s 202.54.1.2/29 -p tcp --dport 80 -j DROP

## block and drop access to port 443 (secure apache web-server)
iptables -A INPUT -s 202.54.1.1 -p tcp --dport 443 -j DROP
iptables -A INPUT -s 202.54.1.2/29 -p tcp --dport 443 -j DROP

## save newly added firewall rules ##
/sbin/service iptables save

## verify new firewall settings
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v | grep 202.54.1.1

Note: To unblock an IP i.e. delete the IP address 202.54.1.1 listed in iptables type the following command:
iptables -D INPUT -s 202.54.1.1 -j DROP 








Iptables Setup and Firewall For a Web Server




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)