Using iptables (Netfilter) to Protect a Red Hat Enterprise Linux 3 or 4 Workstation

This page contains information about how to use iptables to increase system security.

The following instructions apply to Red Hat Enterprise Linux version 3 and version 4 installations.

Outline of procedure

  1. Determine if the iptables kernel module is installed on your system.
  2. Determine if the iptables user-space package is installed on your system.
  3. Create the iptables configuration file.
  4. Start/reload the iptables chains.
  5. Debug your configuration until you cease to get errors.
  6. Confirm that iptables works as expected.
  7. Set up the system to start iptables at boot time.

Detailed procedure

  1. Determine if the iptables kernel module is installed on your system:
    Run the command
    /sbin/modinfo ip_tables
    If the error message modinfo: ip_tables: no module by that name found appears, then support for iptables has not been compiled into your kernel. One of many resources that describes how to do so can be found at http://www.unixreview.com/documents/s=1237/urm0103c/0103c.htm. However, the stock Red Hat Enterprise Linux 3 kernel should already support iptables.
  2. Determine if the iptables user-space package is installed on your system:
    Run the command
    /bin/rpm -q iptables
    If the message package iptables is not installed appears, you will need to install the iptables package. which can be found via the Red Hat Network or on Red Hat Enterprise Linux 3 installation CD-ROM 2 under <CD_Mount_Point>/RedHat/RPMS/. Once you have the package, you can install it with the rpm command, e.g.,
    /bin/rpm -ivh iptables-1.2.8-12.i386.rpm
    Once you have both the iptables kernel module and iptables user-space package installed, you can continue with the installation.
  3. Create the iptables configuration file:
    You will need to create your iptables configuration file. The configuration file simply stores a sequence of iptables packet filtering chains. The chains are read and made active by the iptables startup script.

    Sample of a very basic iptables configuration file.

    (Note: Save the sample iptables configuration file as the file name iptables-rhel3.rules.)

    Edit the sample iptables configuration file as needed for your workstation. Once you've finished editing the configuration file, save a copy of the system's original configuration file:

    cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
    Now, save your iptables configuration file:
    cp iptables-rhel3.rules /etc/sysconfig/iptables
    Make sure that your iptables configuration file is owned by user root, group root:
    chown root:root /etc/sysconfig/iptables
    Change the permissions of your iptables configuration file to read/write by user root only:
    chmod 600 /etc/sysconfig/iptables
  4. Start/reload the iptables chains:
    Run the iptables startup script to enable the iptables packet filtering chains in /etc/sysconfig/iptables:
    /sbin/service iptables start
  5. Debug your configuration:
    Unless you're a wizard at iptables, you'll very likely have to edit /etc/sysconfig/iptables until you stop getting errors when trying to run the iptables startup script.
  6. Confirm that iptables works as expected:
    List the properties of the current iptable packet filtering chains:
    /sbin/iptables -L
    For extra peace of mind, it's a good idea to check your machine from another machine using a port scanner such as nmap (included with Red Hat Enterprise Linux 3).
  7. Set up the system to start iptables at boot time:
    Once you are confident that you have iptables set up correctly, configure your machine to run your iptables packet filtering chains at boot time:
    /sbin/chkconfig iptables on