system-config-firewall
command. If it is not already present, it can be installed using the following command.system-config-firewall-tui
command from the command line produces the top-level screen, allowing you to enable/disable the firewall. Use the space bar to toggle the setting, the tab key to navigate between buttons and the return key to click them.iptables
command. There are vast number of parameters, so I will just focus on the elements necessary for the RHCSA exam.INPUT
: Used to check all packets coming into the system.OUPUT
: Used to check all packets leaving the system.FORWARD
: Used to check all packets being routed by the system. Unless you are using your server as a router, this chain is unnecessary.ACCEPT
and DROP
being the most common) is taken. If no specific rule is found, the default policy is used to determine the action to take.ACCEPT
and explicitly DROP
things you don't want.DROP
and explicitly ACCEPT
things you do want.DROP
for the INPUT
and FORWARD
chains, so it is perhaps a little surprising that the GUI and TUI tools set the default policies to ACCEPT
, then use an explicit REJECT
as the last rule in these chains.INPUT
and FORWARD
is DROP
. For the OUTPUT
chain I will assume any packets originating from the system are safe, so I will ACCEPT
any outgoing packets.INPUT
policy of DROP
will cut your session off if you get rid of the explicit rules that accept SSH access. As a result, it makes sense to start any administration by setting the default policies to ACCEPT
and only switch them back to DROP
once the chains have been built to your satisfaction. The following example temporarily sets the default policies to ACCEPT
.INPUT
chain, we can grant access to packets in a number of ways.iptables
command also allows you to insert (-I), delete (-D) and replace (-R) rules, but if you work using a file as described above, you never need to use these variations.