Firewall iptables no Centos 7

De Wiki Hackstore

Requisitos

  • systemd
  • Centos 7
  • iptables-services


Instale o iptables-services

yum install iptables-services


Desative e pare o serviço firewalld (nativo)

systemctl mask firewalld
systemctl stop firewalld


Ative e inicie o iptables e ip6tables

systemctl enable iptables
systemctl enable ip6tables
systemctl start iptables
systemctl start ip6tables


Regras de exemplo

Libere somente a porta 80 (webserver) e bloqueie o resto como exemplo prático:

vi /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
#:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Libera webserver para o mundo
-A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
COMMIT


Reinicie o serviço de firewall para aplicar as novas regras:

systemctl restart iptables.service


Confira as regras de firewall:

iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination