SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

redhatfirewall

Red Hat Firewall

There are two ways to modify the firewall on a Red Hat box, and these two are not compatible with each other. So keep in mind that if you use one, you have to stick with that. So again, there are two options, the tooling (mostly done with the graphical tool) and editing the config manually. If you make a change in the config file manually, it won't be picked up by the tool. So, if you're working with multiple people on a server, make sure to document or talk about these things! In this page I'll discuss the graphical tool here versus manually modifying the config files. If you work with the tooling you can also use the iptables command. For more information about that look here.

The Graphical Tool

You can start the tool in two ways, you can start it from a command prompt using the system-config-firewall command, or by going to System → Administration → Firewall. When you start the tool, you first get a warning also telling you what is listed above:
redhatfirewall01.jpg

As explained in the warning you can do a simple setup in this tool. Enabling a few extra services for example:
redhatfirewall02.jpg

Or blocking ICMP (ping) requests:
redhatfirewall03.jpg

When you're done you can click apply to make the changes effective.

Manually

As long as you're doing the basic stuff you're fine with the graphical tool, but on servers without a graphical environment or with more complex issues you have to modify the config file by hand.

The firewall on Red Hat is based on iptables, so that's also the name of the service and the configfile. Use the following command to edit the firewall configuration file:

# vim /etc/sysconfig/iptables

This will show you the config file:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type redirect -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type router-advertisement -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type router-solicitation -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Again, notice the warning above, only make change to this file if you know what you're doing. Also notice, that if you would configure a custom port for a service, for example port 81 for a webserver, opening the firewall is not enough. You should also add port 81 to the allowed httpd ports in graphical_tool.

Note that after making a change you should restart the firewall like this:

[root@localhost ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
iptables: Loading additional modules: nf_conntrack_ftp     [  OK  ]

Disabling The Firewall

It's not recommended of course but you can also stop or completely disable the firewall.

Stop the Firewall

You can stop the firewall by stopping the iptables service:

[root@localhost ~]# service iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]

Disable the Firewall

You can disable the firewall (so it won't start after a reboot) like this:

[root@localhost ~]# chkconfig iptables off

And check that like this:

[root@localhost ~]# chkconfig | grep ipt
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off

Enable and Start the Firewall

And make it right again:

[root@localhost ~]# chkconfig iptables on
[root@localhost ~]# chkconfig | grep ipt
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@localhost ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
iptables: Loading additional modules: nf_conntrack_ftp     [  OK  ]
You could leave a comment if you were logged in.
redhatfirewall.txt · Last modified: 2021/09/24 00:25 (external edit)