Red Hat firewall for dummies

Peter Lorenzen
04/10-2011

Sometimes I need to open for communication on a port in the local firewall on a Linux box. Until now I have relied on the lokkit command or if a GUI is available system-config-securitylevel.

I recently had some situations where lokkit was not working, so I decided to dig a little deeper.

I think configuring firewall rules can be rather complex. I only need to open or close for communication on a port, so the below is just what I need to get by 🙂

The default firewall on Red Hat is called iptables

To check if the iptables service is running:

lsmod | grep ip_tables

To start or stop the iptables service:

service iptables start
service iptables stop

List all rules

iptables -n -L

The -n option means that port numbers will be printed in numeric format. If this is not used many ports will be mapped to some standard names. Ports like 7001 and 8001 which is often used for Weblogic will for example be listed as afs3-callback and vcom-tunnel. This can be a bit confusing.

List rules in the INPUT chain. Meaning incoming traffic:

iptables  -L INPUT -n

Here is an example:
iptables1

RH-Firewall-1-INPUT is another chain that contains the rules:
iptables2

Append a rule to allow incoming traffic on port 8002:

iptables -A RH-Firewall-1-INPUT -p tcp --dport 8002 -j ACCEPT

Now it looks like this:
iptables3

There is a problem though. Since the rule was placed at the bottom it is placed after a REJECT rule that rejects all traffic on all protocols. We need to place the rule higher up in the hierarchy.

To delete the rule and create it again as the first rule:

iptables -D RH-Firewall-1-INPUT -p tcp --dport 8002 -j ACCEPT
iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 8002 -j ACCEPT

Now it looks better:
iptables4

To open for traffic for a range of ports:

iptables -I RH-Firewall-1-INPUT 2 -p tcp -m multiport --dports 9001:9005 -j ACCEPT
iptables -I RH-Firewall-1-INPUT 3 -p tcp -m multiport --dports 8887,8888,8889 -j ACCEPT

To delete them again:

iptables -D RH-Firewall-1-INPUT -p tcp -m multiport --dports 9001:9005 -j ACCEPT
iptables -D RH-Firewall-1-INPUT -p tcp -m multiport --dports 8887,8888,8889 -j ACCEPT

Leave a Comment

Previous post:

Next post: