Configuring port access using Linux Firewall

Written by rajkiran on Friday June 6, 2014

Many of the Linux distributions come with a very powerful system firewall using IPTables. IPTables program can be used to setup rules for enabling/disabling access to various ports on the server.

Here is an example where I cannot access the "DBExpress" application running on machine kirlinc.home with port 8888 from any of my other servers in the network.


Let’s check to see what rules are currently defined in the firewall with the following commands..

[root@kirlinc kiran]# iptables -nvL --line-numbers  <-- display the current status of the Firewall

[root@kirlinc data]# cat /etc/sysconfig/iptables  <--  Firewall rules are stored in the sysconfig/iptables file

From the screenshot, you can see that only SSH port 22 is allowed on the server. I need to add a rule for the port 8888 as well, so I can access DB Express application from other machines.

The following command is used to add a new rule for the port 8888. I also specified "-I INPUT 5" to insert the new rule as 5th Line (next line to my SSH port). 

[root@kirlinc kiran]# iptables -I INPUT 5 -p tcp  --dport 8888 -j ACCEPT

[root@kirlinc kiran]# service iptables save   ← Save the above changes to sysconfig iptables file

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]


[root@kirlinc kiran]# service iptables restart   ← Restart the Firewall
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

[root@kirlinc kiran]# iptables -nvL --line-numbers  ← Verify if the change is made

Now, I see the new rule added to accept connections on port 8888. With this, I can access my application from any of my other computers in the network.

I can restrict this access even  further to allow connection from only a specific machine, by specifying the ip address as well. As I already have a rule defined for port 8888, I would like to modify/replace it with a new rule using the IP address as shown below.

[root@kirlinc kiran]# iptables -R INPUT 5 -p tcp -s 192.168.1.50 --dport 8888 -j ACCEPT

[root@kirlinc kiran]# service iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

[root@kirlinc kiran]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

[root@kirlinc kiran]# iptables -nvL --line-numbers  

My previous rule has successfully been modified with a new rule that accepts connections only on the specific IP address. Now, I can access my DB Express application only  from the IP address that was defined in the firewall..!

Cheers!

rajkiran

Checkbox checkbox: not checked

datetime: 2000-01-01 00:00:00

date: 2018-05-01

integerfield: 0

floatfield: 0