Opening up SSH and HTTP ports using iptables from the command line
I have to look this up from time to time, usually just after installing a new Linux system intended for use as a test server. There are GUI tools for configuring the firewall, but I usually leave the entire windowing system uninstalled.
By default, many Linux distributions will start up sshd and httpd, but you won’t be able to connect to them over the network, since the ports will be blocked by iptables. The examples below are for Red Hat or CentOS (which is basically Red Hat), and may vary slightly betweenl distributions.
To see the current iptables firewall rules, use iptables –list (that’s two dashes):
[root]# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
The part we’re interested in is the “RH-Firewall-1-INPUT” list. We need to add two rules, which will accept incoming TCP connections to port 22 (sshd) and port 80 (httpd).
[root]# iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
[root]# iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
The additions will now appear in the output of iptables –list:
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
You can now connect to the server over the network. Unfortunately, this will only last until it’s rebooted. To save the iptables configuration, do something like:
/etc/init.d/iptables save
This will update the saved configuration in /etc/sysconfig/iptables, which will be used to initialize iptables at boot time.
October 13th, 2006 at 5:30 am
Good post! Saved a lot of time. I usually use firestarter, but when handling iptables remotely, this is a real time saver.
Now, to go find a detailed iptables manual and get more familiar with it.
Thanks again for the post!
April 15th, 2007 at 7:25 am
This is right only for redhat based systems (Redhat, Fedora CentOS and others). I could not get it to work with Ubuntu since the file /etc/sysconfig/iptables is not being used to save the rules.
Migrating from RH to Ubuntu is not an easy task…
8-)
Thanks for the info!
October 25th, 2007 at 11:11 am
[…] Hacks and Gadgets by HJL » Blog Archive » Opening up SSH and HTTP ports using iptables from t […]