Enterprise Linux 6 have Selinux enabled by default, which adds an excellent layer of security to your server and should never be disabled. I'm simply stunned to see how easy some users take the liberty to disable the firewall, instead of actually taking the time to configure it and properly secure their machines.
I also noticed that users have a tendency to manually edit the /etc/sysconfig/iptables file or use directly the iptables CLI to define various rules. This is another non recommended approach, especially if you have multiple users managing a server. It is very easy to run setup or system-config-firewall-tui and destroy all manually added rules.
This tutorial will teach you how to manage a large array of rules with system-config-firewall-tui, while keeping a structured and efficient security logic. The main advantage of using the TUI instead of CLI is one source for all rules, eliminating the overwrite risk. Compared to Firewalld which uses a dynamic firewall model, iptables uses an inferior static model.
Start by installing system-config-firewall-tui and its dependencies:
Create a custom iptables-filter file, which will hold your specific rules:
We used the filter suffix because this file will contain only FILTER related rules. You can create a large variety of custom rule files, based on your needs (i.e. iptables-glusterfs). Using custom rules files is useful especially if your service is not part of the list of trusted services.
Open the text-base user interface by executing system-config-firewall-tui in your terminal, enable the firewall and select the Customize option:
Select Forward, until you reach the Custom Rules panel and select Add option. You can specify the ipv4 or ipv6 protocol and filter, mangle or nat table where you will add the custom rules:
Once all your custom rule files are added, select Close option. You will be brought back to main Firewall Configuration panel. Select OK option, you will be prompted with the following warning:
Selecting Yes option will override current firewall configuration and restart the iptables service. You can now verify the newly added firewall rules:
Make sure system-config-firewall-tui is executed each time your custom rule files are modified. There is no need to go through all above listed steps, simply run the TUI and select OK option to overwrite the firewall configuration and restart the service.# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 state NEW udp dpt:9200 6 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 state NEW udp dpt:9300 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited