Product SiteDocumentation Site

2.3. IPTables Configuration

Edits to the iptables configuration can be made directly to /etc/sysconfig/iptables. To enable these rules restart iptables with the command service iptables restart.
Required Config Lines
CompleteRequirementActionConfig
MustSet *filter :INPUT DROP [] :FORWARD ACCEPT [] :OUTPUT ACCEPT [] [17]
ShouldSet -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [18]
ShouldSet -A INPUT -p icmp -j ACCEPT [19]
MaySet -A INPUT -i lo -j ACCEPT [20]
MustSet -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT [21]
MustSet -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT [22]
MustSet -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j REJECT [23]
MustSet -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT [24]
MustSet -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT [25]
MustSet -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT [26]
MustSet -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j REJECT [27]
MustSet -A INPUT -p tcp --tcp-flags PSH,ACK PSH -j REJECT [28]
MustSet -A INPUT -p tcp --tcp-flags ACK,URG URG -j REJECT [29]
ShouldUse -A INPUT -p tcp -m tcp --dport $PORT -j ACCEPT [30]
ShouldUse -A INPUT -p udp -m udp --dport $PORT -j ACCEPT [31]
ShouldUse -A INPUT -p tcp -m tcp -s $IPADDRES/$NETMASK --dport $PORT -j ACCEPT [32]
ShouldUse -A INPUT -p udp -m udp $IPADDRES/$NETMASK --dport $PORT -j ACCEPT [33]
ShouldSet -A INPUT -j LOG --log-prefix "FW-REJECT " [34]
MustSet -A INPUT -j REJECT --reject-with icmp-host-prohibited [35]
Should notUse -j DROP [36]

2.3.1. Suggested /etc/sysconfig/iptables configuration

The configuration below enables people to connect to SSH services via TCP port 22.
# Firewall configuration written by system-config-firewall
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j REJECT
-A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT
-A INPUT -p tcp --tcp-flags FIN,ACK FIN -j REJECT
-A INPUT -p tcp --tcp-flags PSH,ACK PSH -j REJECT
-A INPUT -p tcp --tcp-flags ACK,URG URG -j REJECT

# Add enabled ports here
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Log and reject everything else
-A INPUT -j LOG --log-prefix "FW-REJECT "
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT



[17] First 4 lines
[18] Disabling will break many network protocols, like TCP. Disable this rule only if you know what you are doing.
[19] Disable for more security, but understand that doing so creates more difficulty in network troubleshooting.
[20] Allow all localhost activity. Generally a good idea, so do not disable this unless you know what you are doing.
[21] The combination of these TCP flags is not defined. Accepting packets so marked may cause unexpected results.
[22] The combination of these TCP flags is not defined. Accepting packets so marked may cause unexpected results.
[23] The combination of these TCP flags is not defined. Accepting packets so marked may cause unexpected results.
[24] The combination of these TCP flags is not defined. Accepting packets so marked may cause unexpected results.
[25] The combination of these TCP flags is not defined. Accepting packets so marked may cause unexpected results.
[26] The combination of these TCP flags is not defined. Accepting packets so marked may cause unexpected results.
[27] The combination of these TCP flags is not defined. Accepting packets so marked may cause unexpected results.
[28] The combination of these TCP flags is not defined. Accepting packets so marked may cause unexpected results.
[29] The combination of these TCP flags is not defined. Accepting packets so marked may cause unexpected results.
[30] This rule opens specific TCP ports to the world. When using this example, replace $PORT with a TCP port number such as 80 for HTTP traffic.
[31] This rule opens UDP ports to the world. When using this example, replace $PORT with a UDP port number such as 161 for SNMP traffic.
[32] This rule opens TCP ports to specific hosts or networks. Using an IP address without a netmask is proper. If a network address is defined, the netmask is required. When using this example, replace $PORT with a TCP port number such as 80 for HTTP traffic.
[33] This rule opens UDP ports to specific hosts or networks. Using an IP address without a netmask is proper. If a network address is defined, the netmask is required. When using this example, replace $PORT with a TCP port number such as 161 for SNMP traffic.
[34] Before last line
[35] As last line
[36] This flag violates some known standards and makes troubleshooting more difficult. The security added is debatable.