Note! For CentOS7 , look for documentation on the new firewalld method of setting up your firewall!
The rest of this applies to CentOS 5.x and 6.x .
Many sites give information either about advanced use of iptables or beginner use of CentOS Setup to configure a firewall.
This article is for intermediate level admins who need custom iptables rules but do not want to type them interactively and risk losing everything over a typo. Nonetheless, attention to detail is key.
The basic idea is to create a custom file which will contain a few rules which can augment the default behavior of the built-in firewall setup program. There are a lot of screenshots - but - after you have configured in the name of the custom file you will be able to bypass almost all screens and quickly regenerate your rules.
As a use-case, let's say that we want to lock down ftp access to a subnet, and we want to support a small passive port range of 8021-8025. e.g. for use with vsftpd on a LAN.
Let's start with the custom iptables rules.
# cd /etc/sysconfig
Create a file - your choice on the name - to hold your custom rules.
# vi iptables_custom
Put in your iptables rules -- very carefully. This is just one example. Please watch the line breaks. Below, \ is just an indication of continuation on the next line. Do not include that in your file.
#
# custom rules
# from /etc/sysconfig/iptables_custom file
#
# FTP port 21 for local area network 209.201.224.x
-A INPUT -m state --state NEW -m tcp -p tcp -s 209.201.224.0/24 \
--dport 21 -j ACCEPT
#
# pasv port range for local area network
-A INPUT -m state --state RELATED,ESTABLISHED,NEW -m tcp -p tcp \
-s 209.201.224.0/24 --dport 8021:8025 -j ACCEPT
#
Now run the CentOS (RedHat) setup program which lets you customize the firewall configuration.
# setup
The user interface may look a little strange if you are connecting from Windows over Putty but it will work. Use [tab] to move between elements, [Enter] to select.
Select Firewall configuration , then click [Run Tool].
Use the [Customize] button to get into the configuration screens. Later, if you have modified your custom iptables file and just want to regenerate the master set of rules, just use the [Ok] button (shown below at the end of this sequence).
It is up to you to decide when you want to use the built-in firewall rules to enable access to something, and when you want to use custom rules. For this example, the built-in ftp rules are NOT selected because they are controlled in the iptables_custom file. Click [Forward]...
CentOS Firewall Setup:Trusted Services including FTP, WWW
It is very easy to grant everyone access to particular tcp ports. If you want to open a tcp port to everyone, do it here. [Forward] ...
See documentation elsewhere to decide whether you want to trust particular interfaces...
CentOS Firewall Setup: Trusted Interfaces
Again, see documentation to decide about masquerading.
Again, see documentation regarding Port Forwarding. Click [Forward].
On the next screen, you can enable PING features. This is up to you. Click [Forward].
CentOS Firewall Setup: ICMP Filter (ping, tracert)
Now we FINALLY get to the screen that lets us hook in our custom rules. This is where you indicate the exact location of your file, example, /etc/sysconfig/iptables_custom
CentOS Firewall Setup: Custom Rules File Reference
The next screen returns us to the beginning of the sequence. This is a big clue. Clicking [OK] here is what leads to the ability to make the Setup program generate a complete iptables file that *includes* your custom rules while keeping all those lovely built-in features for services that do not need customization.
Click [OK] here. (Of course if you made a mistake, click [Cancel] to bail out without writing the rules.)
CentOS Firewall Setup: [OK] leads to merge of custom rules with built-in ones
Click [Yes] if you are feeling confident.
CentOS Firewall Setup: Warning about having a new set of IPTABLES rules written to disk
After a few seconds, you should loop back to the very first screen, from which you can [Quit] setup.
IF you have made a syntax error in your custom rules, set will *not* write out a new ruleset. If you watch the screen carefully, you should be able to tell that an error occurred. Sorry, no screenshot handy for that situation.
So say that all worked and in a few hours or weeks you need some further customization of the iptables rules. All you need to do is edit /etc/sysconfig/iptables_custom and then click through a few of those Setup buttons to regenerate the master file. Very clean, fairly quick, even over Putty (telnet ssh).
The above screenshots were taken on CentOS 6.5.