setting up iptables
These are the steps to go from the Red Hat/Fedora Core default firewall rules to a minimal set of rules, optionally with two extra rules for Azureus.
- run system-config-securitylevel and enable the firewall. If you'd like to run an ssh server, check "SSH" as a trusted service, for example
- run iptables -L --line-numbers: this will list your current firewall rules with line numbers in front of them. We are interested in the ones in the RH-Firewall-1-INPUT chain (list)
- delete rule 3 (the one with ipv6-crypt as the protocol, also known as protocol number 50):
iptables -D RH-Firewall-1-INPUT 3
(unless you need it for VPN and the like)
- delete the rule with protocol ipv6-auth (also known as protocol number 51). Run iptables -L --line-numbers again to see which number the rule has now!
- delete the rule with 126.96.36.199 as the destination (unless you're running mDNSResponder, a service that makes it easier to join a network)
- delete the rule with dpt:ipp (unless you're sharing your printer on a network)
- if you'd like to add rules, for a bittorrent client like Azureus for example, first delete the last rule (the one with reject-with icmp-host-prohibited), then:
- add these two rules:
iptables -A RH-Firewall-1-INPUT -p udp --dport 12345 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp --dport 12345 -j ACCEPT
- add the last rejection rule again:
iptables -A RH-Firewall-1-INPUT -j REJECT
- in Azureus, in Tools->Options->Connections, set the TCP and UDP listen port to 12345 (or whichever port you used in the above rules)
- if you're using a router, for example, don't forget to open port 12345 for TCP and UDP on the router's firewall
- in the file /etc/sysconfig/iptables-config, make sure the following option is set to "yes":
(this way your firewall rules are saved when you shutdown)
- important: don't use system-config-securitylevel anymore: it will overwrite the set of rules you've just created!