setting up iptables
These are the steps to go from the Red Hat/Fedora Core default firewall rules to a minimal set of rules, optionally with two extra rules for Azureus.
- run system-config-securitylevel and enable the firewall. If you'd like to run an ssh server, check "SSH" as a trusted service, for example
- run iptables -L --line-numbers: this will list your current firewall rules with line numbers in front of them. We are interested in the ones in the RH-Firewall-1-INPUT chain (list)
- delete rule 3 (the one with ipv6-crypt as the protocol, also known as protocol number 50):
iptables -D RH-Firewall-1-INPUT 3
(unless you need it for VPN and the like)
- delete the rule with protocol ipv6-auth (also known as protocol number 51). Run iptables -L --line-numbers again to see which number the rule has now!
- delete the rule with 184.108.40.206 as the destination (unless you're running mDNSResponder, a service that makes it easier to join a network)
- delete the rule with dpt:ipp (unless you're sharing your printer on a network)
- if you'd like to add rules, for a bittorrent client like Azureus for example, first delete the last rule (the one with reject-with icmp-host-prohibited), then:
- add these two rules:
iptables -A RH-Firewall-1-INPUT -p udp --dport 12345 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp --dport 12345 -j ACCEPT
- add the last rejection rule again:
iptables -A RH-Firewall-1-INPUT -j REJECT
- in Azureus, in Tools->Options->Connections, set the TCP and UDP listen port to 12345 (or whichever port you used in the above rules)
- if you're using a router, for example, don't forget to open port 12345 for TCP and UDP on the router's firewall
- in the file /etc/sysconfig/iptables-config, make sure the following option is set to "yes":
(this way your firewall rules are saved when you shutdown)
- important: don't use system-config-securitylevel anymore: it will overwrite the set of rules you've just created!
Send me your comments!Something didn't work as expected? You'd like to add some useful info to this tip? Use the form below to send me your comments. (Don't forget to fill out the super-lame CAPTCHA below..)