How to edit iptables rules

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(List rules: hope you dont mind if i help ;) if so, let me know)
(Fix some errors, improve instructions, add gui list, add flush iptables rules.)
Line 1: Line 1:
In this how to we will learn three differents way to edit IPtables rules :
+
In this how to, we will learn three differents way to edit IPtables rules :
  
 
* '''CLI :''' iptables command and his config file /etc/sysconfig/iptables.
 
* '''CLI :''' iptables command and his config file /etc/sysconfig/iptables.
Line 7: Line 7:
 
It is not an how to about making elaborates rules with iptables, we only use iptables on a basic way.
 
It is not an how to about making elaborates rules with iptables, we only use iptables on a basic way.
  
Let's go.
 
 
__TOC__
 
__TOC__
 
== CLI ==
 
== CLI ==
Line 43: Line 42:
 
target    prot opt source              destination </pre>
 
target    prot opt source              destination </pre>
  
First thing to know, the rules apply in order of appearance and exit if there is a match. So, if we have a rule that reject ssh connections then after another rules allowing ssh then once the reject rule is reached, the packets exit and apply the reject rule but never reached the accept rule.
+
Rules apply in order of appearance and exit if there is a match. So, if a rule that reject ssh connections is created then after another rule allowing ssh then once the reject rule is reached, the packets exit and apply reject rule but never reached accept rule.
So with that in mind, we can edit iptables rules.
+
  
 
==== Append a rule ====
 
==== Append a rule ====
  
This is add a rule at the end of the specified chain of iptables :
+
This add a rule at the end of the specified chain of iptables :
 +
 
 
<pre>[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 
<pre>[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 
[root@server ~]# iptables -L
 
[root@server ~]# iptables -L
Line 65: Line 64:
 
target    prot opt source              destination </pre>
 
target    prot opt source              destination </pre>
  
Notice the last line in chain INPUT. There are now 5 rules in that chain. Let's delete the last one for recreate on the top of the same chain.
+
Notice the last line in chain INPUT. There are now 5 rules in that chain.
  
 
==== Delete rules ====
 
==== Delete rules ====
Line 88: Line 87:
 
==== Insert rules ====
 
==== Insert rules ====
  
Now, recreate rule at top position:
+
Create a rule at top position:
  
 
<pre>[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
 
<pre>[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
Line 106: Line 105:
 
target    prot opt source              destination </pre>
 
target    prot opt source              destination </pre>
  
{{admon/note|Note| The number append after the name's chain. As we say that we insert the rule at the top, we must insert it '''before''' the first. So, you want to insert this rules '''before''' the third rule you as to change this number to 3. Simple isn't it!}}
+
Number supplied after chain name is needed to know '''before''' which existing rule, the new rule is inserted. So, if you want to insert this rules '''before''' the third rule you as to change this number to 3.
  
 
==== Replace a rule ====
 
==== Replace a rule ====
  
For the next, we replace a rules already existing. The rules about the http server is pretty wide for acceptance. Restrict a little more this rule by only allow a specific network 192.168.0.0/24 :
+
The rules about the http server is pretty wide for acceptance. Restrict a little more this rule by only allow a specific network 192.168.0.0/24 :
  
 
<pre>[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
 
<pre>[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
Line 128: Line 127:
 
target    prot opt source              destination </pre>
 
target    prot opt source              destination </pre>
  
So, summarize, we now know how to :  
+
==== Flush rules ====
* append
+
 
<pre>iptables -A <chain></pre>
+
To clear out iptables rules use '''--flush''', '''-F''' option :
* insert
+
 
<pre>iptables -I <chain> <rule_position></pre>
+
<pre>iptables -F <chain></pre>
* replace
+
 
<pre>iptables -R <chain> <rule_position></pre>
+
'''<chain>''' is optionnal. Without it, all chains are flushed.
* delete
+
 
<pre>iptables -D <chain> <rule_position></pre>
+
Example to flush rules in OUTPUT chain :
 +
 
 +
<pre>[root@server ~]# iptables -F OUTPUT</pre>
 +
 
 +
{{admon/caution|Default chain policys care|Take care of chain default policy. Example if '''INPUT''' policy is '''DROP''' or '''REJECT''' and rules are flushed then all ingoing traffic will be dropped or rejected and network communication are broken.}}
  
 
=== Make changes persistant ===
 
=== Make changes persistant ===
  
Ok, when editing iptables rules with iptables command, if we reboot the pc then we loose rules that we make. So we have to save them!
+
When editing iptables rules with iptables command, if there is a reboot then changes in rules are lost.
  
 
Happily, iptables comes with two useful utilities : iptables-save and iptables-restore.
 
Happily, iptables comes with two useful utilities : iptables-save and iptables-restore.
Line 177: Line 180:
 
target    prot opt source              destination</pre>
 
target    prot opt source              destination</pre>
  
Now, we can imagine to automatize startup and stop of iptables based on a dump file restored and saved. This mechanism already exists, this what is going on when you start and stop the iptables service. At each stop of service, it saves the current state of iptables rules set on a file and each stop it restores this file.
+
At each stop of service, current state of iptables rules set is saved in a file and each start the service restores this file.
And this file is :
+
The file is located in :
  
 
* <pre>/etc/sysconfig/iptables</pre> for IPv4
 
* <pre>/etc/sysconfig/iptables</pre> for IPv4
Line 195: Line 198:
 
COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.
 
COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.
 
# Completed on Wed Dec  7 20:22:39 2011</pre>
 
# Completed on Wed Dec  7 20:22:39 2011</pre>
 +
 +
If needed, to reset packet and byte counters, use '''-Z''', '''--zero''' :
 +
 +
<pre>iptables -Z <chain> <rule_number></pre>
 +
 +
It is possible to reset only reset a single rule counter. It can be useful, if you want to know how many packets were captured for a specific rule.
  
 
== TUI/semi graphical ==
 
== TUI/semi graphical ==
  
There is two ways for managing iptables rules with textual interface, by '''setup''' and '''system-config-firewall-tui'''. When in the first choice you need to select '''firewall configuration''' and then edit rules, the second will bring directly to the edition of rules.
+
There is two ways for managing iptables rules with textual interface, by '''setup''' and '''system-config-firewall-tui'''. In the first choice you need to select '''firewall configuration''' and then edit rules, the second will bring directly to the edition of rules.
 
So, with '''setup''', select '''Firewall configuration''' :
 
So, with '''setup''', select '''Firewall configuration''' :
  
 
[[File:Firewall-tui.PNG|center|700px|setup menu utility]]
 
[[File:Firewall-tui.PNG|center|700px|setup menu utility]]
  
On the next screen, we leave Firewall enabled or we activate it if it wasn't enabled. Then we go on '''Customize''' :
+
On the next screen, leave Firewall enabled or activate it if it wasn't enabled. Then we go on '''Customize''' :
  
 
[[File:First_menu_firewall_tui.PNG|center|700px|Firewall Configuration by TUI. First screen.]]
 
[[File:First_menu_firewall_tui.PNG|center|700px|Firewall Configuration by TUI. First screen.]]
Line 212: Line 221:
  
 
[[File:Firewall_TUI_Trusted_services..PNG|center|700px|Editing trusted service with firewall tui interface.]]
 
[[File:Firewall_TUI_Trusted_services..PNG|center|700px|Editing trusted service with firewall tui interface.]]
 +
 
Now Edit other allowed ports :
 
Now Edit other allowed ports :
  
 
[[File:Firewall_TUI_other_ports.PNG|center|700px|Editing Other ports on firewall configuration by TUI interface.]]
 
[[File:Firewall_TUI_other_ports.PNG|center|700px|Editing Other ports on firewall configuration by TUI interface.]]
 +
 +
To add other ports, specify one port or a port range, and choose between '''tcp''' or '''udp''' for protocol. Port range format is '''beginningPort-endingPort'''.
 +
 +
[[File:Firewall_TUI_adding_other_ports|center|700px|Adding other ports on firewall configuration by TUI interface.]]
  
 
Select the trusted interfaces. These interfaces will become open face of network, all traffic will be allowed and the precedents rules will never match. So select an interface that face of a private network and never an interface that have to directly deal with internet.
 
Select the trusted interfaces. These interfaces will become open face of network, all traffic will be allowed and the precedents rules will never match. So select an interface that face of a private network and never an interface that have to directly deal with internet.
Line 234: Line 248:
 
[[File:Firewall_TUI_ICMP_Filter.PNG|center|700px|Firewall TUI: configuring ICMP behaviour.]]
 
[[File:Firewall_TUI_ICMP_Filter.PNG|center|700px|Firewall TUI: configuring ICMP behaviour.]]
  
Finally, you can define some custom rules. But you need to edit a file before containing your custom rules with same format than the iptables file, but without specifying the table of iptables used.
+
Finally, you can define some custom rules. But it is needed to edit a file containing your custom rules before, with same format than the iptables file, but without specifying the table of iptables used.
  
 
[[File:Firewall_TUI_Custom_Rules.PNG|center|700px|Firewall TUI: create custom rules.]]
 
[[File:Firewall_TUI_Custom_Rules.PNG|center|700px|Firewall TUI: create custom rules.]]
Line 242: Line 256:
 
[[File:Firewall_TUI_Custom_Rules_Adding.PNG|center|700px|Firewall TUI: adding a custom rules.]]
 
[[File:Firewall_TUI_Custom_Rules_Adding.PNG|center|700px|Firewall TUI: adding a custom rules.]]
  
When it's done, you can '''Close''' the interface and this bring you and first screen of firewall configuration. Select '''OK''' and you have a warning appear :
+
When it's done, '''Close''' the interface and this bring you at first screen of firewall configuration. Select '''OK''' and a warning message appear :
 +
 
 
[[File:Firewall_TUI_Warning.PNG|center|700px|Firewall TUI warning.]]
 
[[File:Firewall_TUI_Warning.PNG|center|700px|Firewall TUI warning.]]
Select '''Yes''' if the configuration that you made fits to you and exit interface, or '''No''' for came back to the firewall configuration screen.
 
  
{{admon/caution|Good to know|The configuration is saved in the file ''/etc/sysconfig/system-config-firewall'' but when click '''Apply''' file ''/etc/sysconfig/iptables'' is overwritten. So take care to use one and keep it, or keep in mind that to not be surprised.}}
+
Select '''Yes''' if the configuration you made fits to you and exit interface, or '''No''' for came back to the firewall configuration screen.
 +
 
 +
{{admon/caution|Good to know|The configuration is saved in the file ''/etc/sysconfig/system-config-firewall'' when clicking '''Apply''' then file ''/etc/sysconfig/iptables'' is overwritten.}}
  
 
== GUI ==
 
== GUI ==
 +
 +
=== Red Hat GUI configuration tool ===
  
 
GUI interface allow you exactly the same thing that TUI interface, but it is more friendly usable.
 
GUI interface allow you exactly the same thing that TUI interface, but it is more friendly usable.
Line 279: Line 297:
 
[[File:Firewall_Wizard_4.PNG|center|Firewall Wizard : configuration base?]]
 
[[File:Firewall_Wizard_4.PNG|center|Firewall Wizard : configuration base?]]
  
Now you can configure your firewall. As described earlier ''Desktop'' template enable 4 services ''IPsec'', ''mDNS'', ''IPP'' and ''SSH''. If you have services listed in '''Trusted Services''' section that you want to enabled, you just have to click on it, that's all.
+
As described earlier ''Desktop'' template enable 4 services ''IPsec'', ''mDNS'', ''IPP'' and ''SSH''. If you have services listed in '''Trusted Services''' section that you want to enabled, you just have to click on it, that's all.
You can change template by using the '''Options''' menu, in '''Load Default Configuration'''.
+
It is possible to change template by using the '''Options''' menu, in '''Load Default Configuration'''.
  
 
[[File:Firewall_Wizard_5.PNG|center|Firewall Main interface : enabled]]
 
[[File:Firewall_Wizard_5.PNG|center|Firewall Main interface : enabled]]
  
'''Other Ports''' allow you to edit custom rules if your service port wasn't in '''Trusted service'''. To begin, just click on '''Add''' button. Then you have two choices, either you choose in services list the right service or you tick '''User Defined''' and fill requested information about '''Port / Port Range''' and '''Protocol'''.
+
'''Other Ports''' allow you to edit custom rules if your service port wasn't in '''Trusted service'''. To begin, just click on '''Add''' button. Then either you choose in services list the right service or you tick '''User Defined''' and fill requested information about '''Port / Port Range''' and '''Protocol'''.
  
 
[[File:Firewall_GUI_other_ports.PNG|center|Firewall GUI : edit other ports rules.]]
 
[[File:Firewall_GUI_other_ports.PNG|center|Firewall GUI : edit other ports rules.]]
Line 290: Line 308:
 
'''Trusted Interfaces''', '''Masquerading''', '''Port Forwarding''', '''ICMP Filter''' and ''Custom Rules''' have exactly the same effect than in TUI interface.
 
'''Trusted Interfaces''', '''Masquerading''', '''Port Forwarding''', '''ICMP Filter''' and ''Custom Rules''' have exactly the same effect than in TUI interface.
  
When configuration fits to you, just clic on the '''Apply''' button.
+
When configuration fits to you, just click on the '''Apply''' button.
 +
 
 +
{{admon/caution|Good to know|The configuration is saved in the file ''/etc/sysconfig/system-config-firewall'' when clicking '''Apply''' then file ''/etc/sysconfig/iptables'' is overwritten.}}
 +
 
 +
=== Others GUI ===
  
{{admon/caution|Good to know|The configuration is saved in the file ''/etc/sysconfig/system-config-firewall'' but when click '''Apply''' file ''/etc/sysconfig/iptables'' is overwritten. So take care to use one and keep it, or keep in mind that to not be surprised.}}
+
There are others GUI available to configure iptables rules.
 +
* [[http://www.fwbuilder.org/ fwbuilder]] : very complete gui tools to configure iptables.
 +
* [[http://shorewall.net/ Shorewall]] : another very complete gui like fwbuilder.
 +
* [[http://www.turtlefirewall.com/ Turtle firewall project]] : web interface and integrated to webmin. Fits to basic usage of Iptables, can not handle all iptables options like fwbuilder
 +
* [[http://users.telenet.be/stes/ipmenu.html IPmenu]] : console based interface that allow you all iptables functionalities.

Revision as of 16:21, 26 December 2011

In this how to, we will learn three differents way to edit IPtables rules :

  • CLI : iptables command and his config file /etc/sysconfig/iptables.
  • TUI/textual interface : setup or system-config-firewall-tui
  • GUI : system-config-firewall

It is not an how to about making elaborates rules with iptables, we only use iptables on a basic way.

Contents

CLI

Hot changes in iptables rules content

This method allow you to change behaviour of your iptables firewall when is running.

Stop (medium size).png
Caution
You can break up your connection with mistakes in rules.

Read the man pages about iptables for further explanations and more sophisticated rules example.

Important.png
Superuser right needed
You must have superuser rights to launch these commands, please use sudo or su as your convenience.

List rules

Current running iptables's rules can be viewed with command
iptables -L
.
Note.png
Numeric port value
Rules listed with -L show you ports by their service name and not their number. If you want to see port's number than service name, add -n argument.
iptables -L -n
Note.png
Viewing counters
Rules listed with -L does not show rules matching counters. If you want to see rule matching counters, add -v argument.
iptables -L -v

Example of iptables rules which allow any connections established or related, icmp requests, all local traffic and finally ssh communication :

[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Rules apply in order of appearance and exit if there is a match. So, if a rule that reject ssh connections is created then after another rule allowing ssh then once the reject rule is reached, the packets exit and apply reject rule but never reached accept rule.

Append a rule

This add a rule at the end of the specified chain of iptables :

[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Notice the last line in chain INPUT. There are now 5 rules in that chain.

Delete rules

To delete a rule, you must known rule's position number. Example with rule created earlier that is in fifth position :

[root@server ~]# iptables -D INPUT 5
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Insert rules

Create a rule at top position:

[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Number supplied after chain name is needed to know before which existing rule, the new rule is inserted. So, if you want to insert this rules before the third rule you as to change this number to 3.

Replace a rule

The rules about the http server is pretty wide for acceptance. Restrict a little more this rule by only allow a specific network 192.168.0.0/24 :

[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:http
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Flush rules

To clear out iptables rules use --flush, -F option :

iptables -F <chain>

<chain> is optionnal. Without it, all chains are flushed.

Example to flush rules in OUTPUT chain :

[root@server ~]# iptables -F OUTPUT
Stop (medium size).png
Default chain policys care
Take care of chain default policy. Example if INPUT policy is DROP or REJECT and rules are flushed then all ingoing traffic will be dropped or rejected and network communication are broken.

Make changes persistant

When editing iptables rules with iptables command, if there is a reboot then changes in rules are lost.

Happily, iptables comes with two useful utilities : iptables-save and iptables-restore.

  • iptables-save : print a reusable dump of current iptables rules. You have to redirect to a file like that :
[root@server ~]# iptables-save > iptables.dump 
[root@server ~]# cat iptables.dump 
# Generated by iptables-save v1.4.12 on Wed Dec  7 20:10:49 2011
*filter
:INPUT DROP [45:2307]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1571:4260654]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Dec  7 20:10:49 2011
  • iptables-restore : restore a dump of rules made by iptables-save.
[root@server ~]# iptables-restore < iptables.dump 
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

At each stop of service, current state of iptables rules set is saved in a file and each start the service restores this file. The file is located in :

  • /etc/sysconfig/iptables
    for IPv4
  • /etc/sysconfig/ip6tables
    for IPv6

So, if you prefer, you can edit this file and restart the iptables service to commit the changes. The format is pretty the same than iptables command :

# Generated by iptables-save v1.4.12 on Wed Dec  7 20:22:39 2011
*filter <--------------------------------------------------------- Specify the table of the next rules
:INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain
:FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [<packet-counter>:<byte-counter>] numbers is for
:OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule.
-A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments
-A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.
# Completed on Wed Dec  7 20:22:39 2011

If needed, to reset packet and byte counters, use -Z, --zero :

iptables -Z <chain> <rule_number>

It is possible to reset only reset a single rule counter. It can be useful, if you want to know how many packets were captured for a specific rule.

TUI/semi graphical

There is two ways for managing iptables rules with textual interface, by setup and system-config-firewall-tui. In the first choice you need to select firewall configuration and then edit rules, the second will bring directly to the edition of rules. So, with setup, select Firewall configuration :

setup menu utility

On the next screen, leave Firewall enabled or activate it if it wasn't enabled. Then we go on Customize :

Firewall Configuration by TUI. First screen.

There is high chance that your service is part of the list of trusted services. This is basic activation of some standards services. Select what is needed and go Forward :

Note.png
Note
Trusted Services just open the port. It doesn't allow you to specify allowed sources or destination
Editing trusted service with firewall tui interface.

Now Edit other allowed ports :

Editing Other ports on firewall configuration by TUI interface.

To add other ports, specify one port or a port range, and choose between tcp or udp for protocol. Port range format is beginningPort-endingPort.

Select the trusted interfaces. These interfaces will become open face of network, all traffic will be allowed and the precedents rules will never match. So select an interface that face of a private network and never an interface that have to directly deal with internet.

Trusted interfaces.

Select interfaces to be masqueraded. Masquerading is better known as NAT (Network Address Translation), it is useful by example when your Fedora computer is used as gateway to access the internet :

Firewall TUI interface : masquerading.

Port forwarding is also known as PAT permit to reroute traffic from a port to another port

Firewall TUI interface : configuring Port Forwarding.
Firewall TUI : adding port forwarding rules.

You can define ICMP behaviour of your fedora. By default, no limitations are made but you can define rules to reject ICMP traffic, define the return error to an ICMP request, etc.

Firewall TUI: configuring ICMP behaviour.

Finally, you can define some custom rules. But it is needed to edit a file containing your custom rules before, with same format than the iptables file, but without specifying the table of iptables used.

Firewall TUI: create custom rules.

For adding custom rules you have specify the protocol between ipv4 or ipv6 and on what table add the custom rules filter, mangle or nat then the path to the file containing rules to add :

Firewall TUI: adding a custom rules.

When it's done, Close the interface and this bring you at first screen of firewall configuration. Select OK and a warning message appear :

Firewall TUI warning.

Select Yes if the configuration you made fits to you and exit interface, or No for came back to the firewall configuration screen.

Stop (medium size).png
Good to know
The configuration is saved in the file /etc/sysconfig/system-config-firewall when clicking Apply then file /etc/sysconfig/iptables is overwritten.

GUI

Red Hat GUI configuration tool

GUI interface allow you exactly the same thing that TUI interface, but it is more friendly usable.

First time you start GUI, you have a welcome message that warning you that if you have existing manual rules then this rules will be overwritten.

First time startup message

Before all, you need to Enable your firewall to use Firewall Configuration utility.

Firewall Gui startup screen

Then utility warn you that you don't have any existing configuration and want you execute the wizard. Click on Start wizard:

No firewall configuration

Click on forward :

Firewall Wizard : welcome screen

System with network access enable Firewall and System without network access disable Firewall, so select System with network access :

Firewall Wizard : network access?

Beginner allow you to modify only Trusted Services, it's fine if you use only known services like ftp, dns, http, etc but don't allow you to configure customs ports range, select Expert to have full featured Firewall Configuration utility, you can change this option later in the Options menu Main windows, in User Skill Level :

Firewall Wizard : skill?

Server template enable only ssh port on firewall configuration Desktop template enable additional ports for IPsec, Multicast DNS, Network Printing Client and SSH. For convenience select Desktop, and OK :

Firewall Wizard : configuration base?

As described earlier Desktop template enable 4 services IPsec, mDNS, IPP and SSH. If you have services listed in Trusted Services section that you want to enabled, you just have to click on it, that's all. It is possible to change template by using the Options menu, in Load Default Configuration.

Firewall Main interface : enabled

Other Ports allow you to edit custom rules if your service port wasn't in Trusted service. To begin, just click on Add button. Then either you choose in services list the right service or you tick User Defined and fill requested information about Port / Port Range and Protocol.

Firewall GUI : edit other ports rules.

'Trusted Interfaces, Masquerading, Port Forwarding, ICMP Filter and Custom Rules have exactly the same effect than in TUI interface.

When configuration fits to you, just click on the Apply button.

Stop (medium size).png
Good to know
The configuration is saved in the file /etc/sysconfig/system-config-firewall when clicking Apply then file /etc/sysconfig/iptables is overwritten.

Others GUI

There are others GUI available to configure iptables rules.

  • [fwbuilder] : very complete gui tools to configure iptables.
  • [Shorewall] : another very complete gui like fwbuilder.
  • [Turtle firewall project] : web interface and integrated to webmin. Fits to basic usage of Iptables, can not handle all iptables options like fwbuilder
  • [IPmenu] : console based interface that allow you all iptables functionalities.