3. Fine tuning with iptables

The Security Level Configuration utility performs basic filter settings only. If you want more, use the iptables command.


There is a good introduction to iptables at: http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm.

In short, firewalling means examining packets, and handling them according to the rules set by the iptables command. When a packet comes in, it is matched against the INPUT chain of rules. These rules contain information on the matching packets and a command (jump) saying what to do if the packet matches. If the command says to jump to another chain of rules, the examination continues using the referred chain. If the command is ACCEPT, the examination ends, and the packet goes to the destination port. If the command is REJECT or DROP, the examination ends, and the packet is blocked or dropped.

According to the default setup in Fedora, the packets jump on to the RH-Firewall-1-INPUT chain from the INPUT and FORWARD chains. All incoming packets go through this chain. It contains ACCEPT rules for certain packets (such as trusted services), and a REJECT rule at the end, which blocks all the unwanted packets. To add a new ACCEPT rule to open up a port on the firewall, use the “-I RH-Firewall-1-INPUT 1” option together with “-j ACCEPT”. This includes the rule in the first place in the chain.

Most of the services use TCP connections. For example: HTTP, FTP, SSH, BitTorrent, Gnutella, and Freeciv all use TCP. To open up a port for one of these you have to include an ACCEPT rule containing the port number of the service. Use “-p tcp --dport” option to specify the destination port(s) of the service. (The port may be a number or an interval.) Here is how the commands look for HTTPS (port: 443) and BitTorrent (ports: 6881-6889):

iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 6881:6889 -j ACCEPT

You really need this command only if you want to open up ranges of ports. For example in the case of running more BitTorrent downloader simultaneously. It is easier to open up a single port using the Security Level Configuration tool.

To keep this setup after restarting the system you have to save it to the configuration file of iptables: /etc/sysconfig/iptables. The command that does this for you is the following:

service iptables save

If you rerun system-config-securitylevel alias Security Level Configuration, it will overwrite the /etc/sysconfig/iptables file, and your modifications made outside system-config-securitylevel will be lost. So it is recommended to save the commands you have used to finetune the firewall setup, to be able to rerun them when necessary.