Task: Install and configure IP tables. Block incoming port 8080 from all other applications except for one host (192.168.1.1)
Step 1) Install iptables and dependencies
[root@master ~]# yum install iptables-services -y
Last metadata expiration check: 1:55:16 ago on Tue 09 Feb 2021 08:03:24 PM EST.
Dependencies resolved.
=============================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================
Installing:
iptables-services x86_64 1.8.4-15.el8_3.3 BaseOS 62 k
Transaction Summary
=============================================================================================================================================================
Install 1 Package
Total download size: 62 k
Installed size: 20 k
Downloading Packages:
iptables-services-1.8.4-15.el8_3.3.x86_64.rpm 47 kB/s | 62 kB 00:01
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 39 kB/s | 62 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : iptables-services-1.8.4-15.el8_3.3.x86_64 1/1
Running scriptlet: iptables-services-1.8.4-15.el8_3.3.x86_64 1/1
Verifying : iptables-services-1.8.4-15.el8_3.3.x86_64 1/1
Installed products updated.
Installed:
iptables-services-1.8.4-15.el8_3.3.x86_64
Complete!
Step 2) Start iptables service
[root@master ~]# systemctl start iptables
Step 3) Check the status of iptables service
[root@master ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Tue 2021-02-09 22:00:31 EST; 48s ago
Process: 4736 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 4736 (code=exited, status=0/SUCCESS)
Feb 09 22:00:31 master systemd[1]: Starting IPv4 firewall with iptables...
Feb 09 22:00:31 master iptables.init[4736]: iptables: Applying firewall rules: [ OK ]
Feb 09 22:00:31 master systemd[1]: Started IPv4 firewall with iptables.
[root@master ~]#
Step 4) Enable systemd script for iptables service
[root@master ~]# systemctl enable iptables
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.
[root@master ~]#
Step 5) view iptable rules
[root@master ~]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Step 6) Now we are going to create a new rule at line number 5 and 6. IP tables follow the sequence from top to bottom during the rule execution so we are going to put the rule for acceptance at line number 5 first then rejection at line number 6. ( Note: make sure your rules are in correct order )
Insert the rule at line 5 for allowing incoming traffic from 192.168.1.1 on port 8080
[root@master ~]# iptables -I INPUT 5 -s 192.168.1.1 -p TCP --dport 8080 -j ACCEPT
Insert the rule at line 6 for dropping connection for all other hosts
[root@master ~]# iptables -I INPUT 6 -p TCP --dport 8080 -j DROP
Step 7) Verify the rules list
[root@master ~]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- RAC2V1S anywhere tcp dpt:webcache
DROP tcp -- anywhere anywhere tcp dpt:csoftragent
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Step 8) Save the changes
[root@master ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@master ~]#
Step 9) Restart iptables service
[root@master ~]# systemctl restart iptables
Step 10) List all the tables and rules
[root@master ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 648 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 192.168.1.1 0.0.0.0/0 tcp dpt:8080
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
114 23270 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 7 packets, 1896 bytes)
pkts bytes target prot opt in out source destination
No comments:
Post a Comment