Firewall writing for Redhat/Cent OS/Fedora


Writing rules for firewall is became nightmare( but it’s good) for me when I am setting up server for my application. After bagging my head two days I found how to program a firewall and how it works. Here is the stuff for you.

First of all before diving into actual content I hope that everyone knows what is firewall and why we use it. It is recommended to know prior to read this post if you don’t know.
Netfilter is a host based firewall for linux systems. It controls by a program called IPtables and it is activated by default. It works at kernel level, before a program can even process the data from the network packet.

Iptables are located at /etc/sysconfig/iptables. 
How to Turn on Firewall:

chkconfig iptables on
 service iptables start
 # restart the firewall
 service iptables restart
 # stop the firewall
 service iptables stop

Understanding  Firewall :
There are total 4 chains:
INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as

OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.

FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.

RH-Firewall-1-INPUT – This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.
How rules works :
Each packet starts at the first rule in the chain .
A packet proceeds until it matches a rule.
If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).
Target Meanings:
The target ACCEPT means allow packet.
The target REJECT means to drop the packet and send an error message to remote host.
The target DROP means drop the packet and do not send an error message to remote host or sending host.
When you open firewall you will find something like below:

 :RH-Firewall-1-INPUT - [0:0]
 -A INPUT -j RH-Firewall-1-INPUT
 -A FORWARD -j RH-Firewall-1-INPUT
 -A RH-Firewall-1-INPUT -i lo -j ACCEPT
 -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
 -A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
 -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
 -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

If you want to drop all traffic, update the rules like below and restart the firewall. If you write firewall rules correctly the firewall will restart successfully otherwise it won’t.

 :INPUT DROP [0:0]

Here is some rules to open ports . Add below rules before commit line.

To open HTTP port

 A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

To open HTTPS port

 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

To open SMTP port :

 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT

To open FTP port:

 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT

Explanation for above rules:
-A = To append a rule for firewall
RH-Firewall-1-INPUT = one of the chains in filter Iptable
-p = To specify the protocol
–dport = To specify destination port
-j = Jump if rule matches with the IPpacket
ACCEPT = It allows the packet through the firewall.
For detail explanation check man pages of IPtables in any linux distribution. Last but not least checkout this website to check whether port has been opened or not.

I hope you enjoy this post. Any queries or suggestions would be welcome.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s