How to configure firewall in minimal install of Fedora 13? What is the correct Fedora way to firewall configuration?
Are there any easy to use command line tools to manipulate /etc/sysconfig/iptables
etc?
Basically I would just like to allow incoming http/https traffic to couple of ports.
This is what my /etc/sysconfig/iptables
looks like
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
iptables is pretty much layer 4, so "http" traffic makes no sense to it, only the port does. Do you have a GUI? What are you trying to do?
There may be third party tools to help, but basic usage of it is pretty simple. For the sake of keeping it simple I'm going to assume on chain (INPUT). When a packet is received, iptables goes through the chain from top to bottom and compares it against each rule. If there is a rule that matches that packet entirely, it follows the instructions provided in that rule (DROP, REJECT, ACCEPT) and stops processing for that packet (bit more complicated for chains, they act like subroutines). Remember, it's the first matching rule that counts, so if you have a rule dropping all TCP traffic, then a rule accepting SSH from your home network, SSH will be ignored from your home network. If no matching rules are found, the policy (ACCEPT, REJECT, or DROP) is followed. ACCEPT is the default and considered good practice.
To add a rule to the end of a chain, use -A CHAIN. To add to the beginning, -I CHAIN. To insert into a specific position, -I line_number CHAIN. Some examples below:
Add a rule to the bottom of INPUT to allow TCP connections on port 80 from 192.168.1.1:
iptables -A INPUT -p tcp --source 192.168.1.1 --dport 80 -j ACCEPT
Add a rule to the top of INPUT to allow TCP connections on port 443 from the 12.34.15.0 /24:
iptables -I INPUT -p tcp --source 12.34.15.0/24 --dport 443 -j ACCEPT
Reject any other connections to port 80:
iptables -A INPUT -p tcp --dport 80 -j REJECT
Drop (without a response) any other TCP traffic (don't run this one or you'll lose SSH):
iptables -A INPUT -p tcp -j DROP
When it comes to adding and removing rules you mind find it easier to do so in a text file. To save to a text file do:
iptables-save > /path/to/file
Edit it, then reload:
cat /path/to/file | iptables-restore
Also note that by default iptables will have no rules after a reboot. On RedHat systems it will load the default rules from /etc/sysconfig/iptables and you can save the rules with
/etc/init.d/iptables save
(and conversely load those rules with/etc/init.d/iptables restore
I ended up putting following row, just before the first
REJECT
row. This allows incoming http (port 80) traffic from everywhere: