Setting up Firewall in CentOS 6.4

Miek asked:

I need to ask a general question about installing certain packages and the need to make iptable adjustments in centOS; When I installed the apache package and put a simple test page in /var/www/html, it didn’t want to pull up until I actually went to the ipTables and added a line to open port 80. I have the same problem now with setting up ftp & vsftpd. They are being more stubborn though. I’ve added port 20 and 21 to the iptables and I was still getting refused. I stopped the iptables and was able to get FileZilla to connect.

One of my coworkers told me that I should not even have to do this. That just installing the packages should take care of all the configuration settings. Is he right? Is centOS6.4 still so new that it has bugs?

I have reviewed a few docs on setting up vsftpd but they vary.

help appreciated.

Here is my output from the iptables:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp    dpt:ftp 
0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp-data 
0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https 
6   725 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 
20  1376 ACCEPT     all  --  any    any     anywhere             anywhere            state 

RELATED,ESTABLISHED 
0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh

557 91720 REJECT     all  --  any    any     anywhere           anywhere                reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 18 packets, 3833 bytes)
pkts bytes target     prot opt in     out     source               destination         
0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp-data 
0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp 

My answer:


You’re missing a rule to accept traffic based on existing traffic (the rule that makes iptables stateful). This should be your very first rule:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.