4. Firewall
Prev   Next

4. Firewall

In the firewall we will accept only the HTTP port (80), ssh port (22), FTP ports (20, 21), samba ports (137,138,139,445) and the port that will be forwarded to the CACHE server (1972). Everything else will be rejected. Edit the file /etc/sysconfig/iptables (don't be affraid about the manual customization not being recommended, it is not forbidden, and you can customize it if you know what you are doing):

bash# vi /etc/sysconfig/iptables

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### accept HTTP port: 80
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

### accept FTP ports: 20 and 21 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

### accept ssh port: 22
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

### accept cache port: 1972
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1972 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1972 -j ACCEPT

### accept samba ports
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

Now restart the iptables to apply these rules: 

bash# /sbin/service iptables restart
bash# /sbin/iptables-save | more
Prev Up Next
3. Network Configuration Home 5. Source NAT (Masquerading)