Skip to main content

Iptables Rules Setup CentOS6

Published: April 24, 2016 Updated: May 25, 2026 Larry Qu 5 min read
Table of Contents

Backup First(export)

Before you do any vital operation, you must to backup the file. The iptables configuration file on CentOS is located at /etc/sysconfig/iptables. Remeber to open SSH port, if we made an accident in our configuration, we may have blocked ourselves from accessing the VPS. If we locked out, we need a console access.

The iptables-save command writes the current iptables rules to stdout (standard out). This gives us an easy way to export the firewall rules to file, by redirecting stdout to a file.

export rules

iptables-save > iptables-export

import rules

sudo iptables-restore < /tmp/iptables-export

Default iptables Rules in CentOS

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Explanation Line by Line

:INPUT ACCEPT [0:0] This rule means the default policy for the INPUT chain is ACCEPT.

:FORWARD ACCEPT [0:0] This rule means the default policy for the FORWARD chain is ACCEPT.

:OUTPUT ACCEPT [0:0] This rule means the default policy for the OUTPUT chain is ACCEPT.

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT This allows incoming data packets only if they are responses to packets we sent out. ESTABLISHED: connection state already established. RELATED: the data packet is related to one sent by this host.

-A INPUT -p icmp -j ACCEPT Allows incoming ICMP requests.

-A INPUT -i lo -j ACCEPT Allows all traffic coming through the lo (loopback) interface.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT Allows new connections to port 22.

-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited These two rules reject all data packets in the INPUT and FORWARD chains that do not match any of the above rules, and send a host prohibited message to the rejected host.

Useful Commands


service iptables start
service iptables restart 
service iptables stop

# save rules
service iptables save

# restore to default rules
iptables-restore < /etc/sysconfig/iptables

# save and back rules to a file

If iptables is stoped, there are no rules will be shown.

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Caution

If you have some rules are wrong or no recognized by iptables, it will not start. This is the error:

Iptables: Applying firewall rules: iptables-restore v1.4.7: Couldn't load match `stste':/lib64/xtables/libipt_stste.so: cannot open shared object file: No such file or directory 

Error occurred at line: 21
Try 'iptables-restore -h' or 'iptables-restore --help' for more information.

To solve this, we need to flush or clear all rules and save it, then iptables will start. But this operation is dangrous, if you flush, port 22 will not open any more.

[root@host2 ~]# iptables -F; iptables -X; iptables -Z
[root@host2 ~]#
[root@host2 ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
[root@host2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

A better way is to restore the rules to be defaults.
Save the following lines into a file, called iptables.default

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

then restore it

# iptables-restore < ./iptables.default

save the rules

[root@h2 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

You need a stable network environment to these operation.

Others Rules

Allow ssh

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow ping

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Allow HTTP and HTTPS

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow DNS query

iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT

Accept all established inbound connections:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Ports

web 80 and 443 (SSL port)
For sending emai: port 25 (regular SMTP) and 465 (secure SMTP)
To let users receive email(allow the users read email on their server:): port 110 (POP3) and 995 (secure POP3 port).

Security Rules

Blocking null packets. Drppping all incoming packets with tcp flags NONE.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

To reject syn-flood attack. Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever).They just want to take up our servers’ resources. We won’t accept such packages.

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Now we move on to one more common pattern: XMAS packets, also a recon packet.

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

You can create the firewall rule to only allow traffic to SSH port if it comes from one source: your IP address(not recommended):

iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT

Replace YOUR_IP_ADDRESS with the actuall IP.

Resources

Comments

Share this article

Twitter Bluesky Mastodon LinkedIn Facebook Reddit Hacker News WhatsApp Telegram Email

Scan to read on mobile

👍 Was this article helpful?