setting up iptables

These are the steps to go from the Red Hat/Fedora Core default firewall rules to a minimal set of rules, optionally with two extra rules for Azureus.

• run system-config-securitylevel and enable the firewall. If you'd like to run an ssh server, check "SSH" as a trusted service, for example
• run iptables -L --line-numbers: this will list your current firewall rules with line numbers in front of them. We are interested in the ones in the RH-Firewall-1-INPUT chain (list)
• delete rule 3 (the one with ipv6-crypt as the protocol, also known as protocol number 50):
  iptables -D RH-Firewall-1-INPUT 3
  (unless you need it for VPN and the like)
• delete the rule with protocol ipv6-auth (also known as protocol number 51). Run iptables -L --line-numbers again to see which number the rule has now!
• delete the rule with 224.0.0.251 as the destination (unless you're running mDNSResponder, a service that makes it easier to join a network)
• delete the rule with dpt:ipp (unless you're sharing your printer on a network)
• if you'd like to add rules, for a bittorrent client like Azureus for example, first delete the last rule (the one with reject-with icmp-host-prohibited), then:
  • add these two rules:
    iptables -A RH-Firewall-1-INPUT -p udp --dport 12345 -j ACCEPT
    iptables -A RH-Firewall-1-INPUT -p tcp --dport 12345 -j ACCEPT
  • add the last rejection rule again:
    iptables -A RH-Firewall-1-INPUT -j REJECT
  • in Azureus, in Tools->Options->Connections, set the TCP and UDP listen port to 12345 (or whichever port you used in the above rules)
  • if you're using a router, for example, don't forget to open port 12345 for TCP and UDP on the router's firewall
• in the file /etc/sysconfig/iptables-config, make sure the following option is set to "yes":
  IPTABLES_SAVE_ON_STOP="yes"
  (this way your firewall rules are saved when you shutdown)
• important: don't use system-config-securitylevel anymore: it will overwrite the set of rules you've just created!