Linux tip, Fedora tip / howto: setting up iptables

back to notes and tips index

Try my online puzzle page with Calcudoku, Killer Sudoku and online Sudoku.

setting up iptables

These are the steps to go from the Red Hat/Fedora Core default firewall rules to a minimal set of rules, optionally with two extra rules for Azureus.

  • run system-config-securitylevel and enable the firewall. If you'd like to run an ssh server, check "SSH" as a trusted service, for example
  • run iptables -L --line-numbers: this will list your current firewall rules with line numbers in front of them. We are interested in the ones in the RH-Firewall-1-INPUT chain (list)
  • delete rule 3 (the one with ipv6-crypt as the protocol, also known as protocol number 50):
    iptables -D RH-Firewall-1-INPUT 3
    (unless you need it for VPN and the like)
  • delete the rule with protocol ipv6-auth (also known as protocol number 51). Run iptables -L --line-numbers again to see which number the rule has now!
  • delete the rule with as the destination (unless you're running mDNSResponder, a service that makes it easier to join a network)
  • delete the rule with dpt:ipp (unless you're sharing your printer on a network)
  • if you'd like to add rules, for a bittorrent client like Azureus for example, first delete the last rule (the one with reject-with icmp-host-prohibited), then:
    • add these two rules:
      iptables -A RH-Firewall-1-INPUT -p udp --dport 12345 -j ACCEPT
      iptables -A RH-Firewall-1-INPUT -p tcp --dport 12345 -j ACCEPT
    • add the last rejection rule again:
      iptables -A RH-Firewall-1-INPUT -j REJECT
    • in Azureus, in Tools->Options->Connections, set the TCP and UDP listen port to 12345 (or whichever port you used in the above rules)
    • if you're using a router, for example, don't forget to open port 12345 for TCP and UDP on the router's firewall
  • in the file /etc/sysconfig/iptables-config, make sure the following option is set to "yes":
    (this way your firewall rules are saved when you shutdown)
  • important: don't use system-config-securitylevel anymore: it will overwrite the set of rules you've just created!

← back to notes and tips index
Please do not copy the text of this tip (© Patrick Min) to your web site.