Linux Iptables Setup Firewall For a Web Server

by on January 15, 2013 · 8 comments· LAST UPDATED January 15, 2013

in , , ,

I have setup an Apache web server on CentOS Linux. How do I configure firewall to allow or block access? How do I setup firewall for a web server under RHEL or CentOS Linux v6.x?

The default iptables configuration on CentOS or RHEL does not allow access to the HTTP (TCP PORT # 80) and HTTPS (TCP PORT # 443) ports used by the Apache web server. You can modify settings using any one of the following three methods:
Tutorial details
DifficultyAdvanced (rss)
Root privilegesYes
RequirementsCentOS/RHEL
iptables
Estimated completion timeN/A

  1. /etc/sysconfig/iptables : Edit this file to allow or deny access to the Apache Web Server IPv4. You also need to edit the /etc/sysconfig/ip6tables file to allow or deny access to the Apache Web Server IPv6 ports.
  2. system-config-firewall-tui command (runs on ssh text based session) or system-config-firewall command (run on GUI based session) : This is a graphical user interface for setting basic firewall rules. This tool will always overwrite /etc/sysconfig/iptables file.
  3. /sbin/iptables command : Use iptables command directly to modify/append/add firewall rules. The rules can be saved to /etc/sysconfig/iptables file with /sbin/service iptables save command.
  4. /usr/sbin/lokkit command : This is a basic firewall configuration tool, designed for ease of use and configuration. This tool also supports SELinux config option. This tool is considered as deprecated and not covered in this faq.

Method # 1: Edit /etc/sysconfig/iptables file (recommend for advanced users)

Edit the IPv4 /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for INPUT chain:

## allow everyone to access port 80 and 443 (IPv4 Only)##
 
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
 

Save and close the file. Restart the IPv4 iptables service:
# service iptables start
Edit the IPv6 /etc/sysconfig/ip6tables, enter:
# vi /etc/sysconfig/ip6tables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for INPUT chain:

## allow everyone to access port 80 and 443 (IPv6 Only)##
 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 
 

Save and close the file. Restart the IPv6 iptables service:
# service ip6tables restart

Method # 2: Firewall configuration GUI/TUI tool (recommend for new users)

The system-config-firewall command is a graphical user interface for setting basic firewall rules. You need to have KDE or Gnome installed on the system. Open a terminal and type the following command as root user:
# system-config-firewall
Sample outputs:

Fig.01: GUI tool in action

Fig.01: GUI tool in action


Select services such as WWW, SSH, HTTPS to open port for everyone. Click on Apply button. This tool will generate /etc/sysconfig/iptables as follows:
Sample RHEL CentOS Linux /etc/sysconfig/iptables files

Sample RHEL CentOS Linux /etc/sysconfig/iptables files

A note about text based config tool (recommend for remote server with ssh access)

The sysystem-config-firewall-tui is a command line tool without having the GUI installed on the server:
# system-config-firewall-tui
Sample outputs:

Fig.02: system-config-firewall-tui in action

Fig.02: system-config-firewall-tui in action


Select Enabled and Press Tab to select "Customization" :
Fig.03: Opening a port 80

Fig.03: Opening a port 80


Scroll down/up and select SSH, WWW, Secure WWW (HTTPS) and other required ports you wish to open. Finally, select Close button. Finally, press OK button to activate new firewall settings.

Method # 3: /sbin/iptables command line utility (recommend for advanced/expert users only)

Type the following iptables command as root user to open port 80 / 443:

## open port 80 and 443 for everyone ##
/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## save newly added firewall rules ##
/sbin/service iptables save
 
## verify new firewall settings 
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v
/sbin/iptables -L INPUT -n -v | grep :80
/sbin/iptables -L INPUT -n -v | grep :443
 

The following rule allows access to port 80 and 443 only to 192.168.1.0/24

## Find an appropriate network block, and network mask
## representing the machines on your network which should operate as 
## clients of the Apache Web-server 
 
## Open port 80 and 443 for 192.168.1.0/24 subnet only ##
/sbin/iptables -A INPUT -s 192.168.1.0/24  -m state --state NEW -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## save newly added firewall rules ##
/sbin/service iptables save
 
## verify new firewall settings 
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v
/sbin/iptables -L INPUT -n -v | grep :80
/sbin/iptables -L INPUT -n -v | grep :443
 

You can block/drop the IP address 202.54.1.1 or subnet 202.54.1.2/29 as follows using iptables:

## Block access to port 80 ##
iptables -A INPUT -s 202.54.1.1 -p tcp --dport 80 -j DROP
iptables -A INPUT -s 202.54.1.2/29 -p tcp --dport 80 -j DROP
 
## block and drop access to port 443 (secure apache web-server)
iptables -A INPUT -s 202.54.1.1 -p tcp --dport 443 -j DROP
iptables -A INPUT -s 202.54.1.2/29 -p tcp --dport 443 -j DROP
 
## save newly added firewall rules ##
/sbin/service iptables save
 
## verify new firewall settings 
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v | grep 202.54.1.1
 

Note: To unblock an IP i.e. delete the IP address 202.54.1.1 listed in iptables type the following command:
iptables -D INPUT -s 202.54.1.1 -j DROP

See also:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 8 comments… read them below or add one }

1 Fabio Benavides January 16, 2013 at 8:24 pm

I think you must add the FTP rules (very used in a web server):

#FTP
iptables -A INPUT -p tcp –dport 20:21 -j ACCEPT
#Passive FTP Ports Maybe:
#(Again, specifying ports 50000 through 50050 in one rule
iptables -A INPUT -p tcp –dport 50000:50050 -j ACCEPT

Best Regards,

Reply

2 steven February 18, 2013 at 1:42 am

Personally, I prefer to use fwbuilder to create iptables rules. It’s very intuitive in its use and has some decent templates to start a rulebase from.

Regards,

Reply

3 sophisticated March 4, 2013 at 4:19 pm

In my machine there are 2 ws (web services) which can be accessed from any PC connected to in the same network (wifi for example) .. so i have to install iptables on the machine to prevent any call web services from outside my station.

what are the rules should i configure iptables with ?
How can i protect a port which is always open ?

Reply

4 Nova March 31, 2013 at 10:26 am

Can I specify the IPs only though which my server can be accessed? The machine runs centos 6x

Reply

5 Fabio Benavides April 2, 2013 at 3:32 am

Nova

First you have to block by default all traffic:

# Configure default policies
#Todo bloqueado
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Flush (-F) all specific rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F OUTPUT

After, you can allow the access from one or more IPs to the server o to a specific port number

//All Server
iptables -I INPUT 1 -s X.X.X.X -m state –state NEW -j ACCEPT

OR:

//Only ports 20,21
iptables -A INPUT -s X.X.X.X -p tcp –dport 20:21 -j ACCEPT

Regrads,

Reply

6 vinod May 2, 2013 at 4:47 pm

Please help me about this matter i have a one web server i want to block all traffic to 80 port but only 3 ip access 80 port on server i run this command it’s work but only 1 ip can access but my requirements is only 3 ip access my server 80 port what command i set in my iptables please help me

iptables -I INPUT \! –src 1.2.3.4 -m tcp -p tcp –dport 80 -j DROP # if it’s not 1.2.3.4, drop it

Reply

7 Jose Tapia September 19, 2013 at 5:18 am

Very useful, im beginning with Centos, and i was looking a good way to define iptables rules via remote ssh, regards :)

Reply

8 Pinoy October 20, 2013 at 6:40 am

Am trying to grasp the security for Linux/Centos. I think this one is a big step for me.

Thank you!

Reply

Leave a Comment

Tagged as: , , , ,

Previous Faq:

Next Faq: