Iptables TUI Setup

Configure your firewall without overwriting predefined static rules

  1. Floren
    Enterprise Linux 6 have Selinux enabled by default, which adds an excellent layer of security to your server and should never be disabled. I'm simply stunned to see how easy some users take the liberty to disable the firewall, instead of actually taking the time to configure it and properly secure their machines.

    I also noticed that users have a tendency to manually edit the /etc/sysconfig/ip[6]tables file or use directly the ip[6]tables CLI to define various rules. This is another non recommended approach, especially if you have multiple users managing a server. It is very easy to run setup or system-config-firewall-tui and destroy all manually added rules.

    This tutorial will teach you how to manage a large array of rules with system-config-firewall-tui, while keeping a structured and efficient security logic. The main advantage of using the TUI instead of CLI is one source for all rules, eliminating the overwrite risk. Compared to Firewalld which uses a dynamic firewall model, iptables uses an inferior static model.

    Start by installing system-config-firewall-tui and its dependencies:
    Create a custom iptables-filter file, which will hold your specific rules:
    We used the filter suffix because this file will contain only FILTER related rules. You can create a large variety of custom rule files, based on your needs (i.e. iptables-glusterfs). Using custom rules files is useful especially if your service is not part of the list of trusted services.

    Open the text-base user interface by executing system-config-firewall-tui in your terminal, enable the firewall and select the Customize option:


    Select Forward, until you reach the Custom Rules panel and select Add option. You can specify the ipv4 or ipv6 protocol and filter, mangle or nat table where you will add the custom rules:


    Once all your custom rule files are added, select Close option. You will be brought back to main Firewall Configuration panel. Select OK option, you will be prompted with the following warning:


    Selecting Yes option will override current firewall configuration and restart the ip[6]tables service. You can now verify the newly added firewall rules:
    # service iptables status
    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    ACCEPT     all  --             state RELATED,ESTABLISHED
    2    ACCEPT     icmp --  
    3    ACCEPT     all  --  
    4    ACCEPT     tcp  --             state NEW tcp dpt:22
    5    ACCEPT     udp  --           state NEW udp dpt:9200
    6    ACCEPT     udp  --           state NEW udp dpt:9300
    7    REJECT     all  --             reject-with icmp-host-prohibited
    Make sure system-config-firewall-tui is executed each time your custom rule files are modified. There is no need to go through all above listed steps, simply run the TUI and select OK option to overwrite the firewall configuration and restart the service.