4.7 Configuring the System Firewall

To implement a simple, general-purpose firewall, you can use the Firewall Configuration GUI (system-config-firewall) or the text-based version of this tool (system-config-firewall-tui) to create basic packet filtering rules. To create a more complex firewall configuration, use the iptables and ip6tables utilities to configure the rules for IPv4 and IPv6.

For example, the following commands add a permanent IPv4 rule to allow incoming access to TCP port number N on a system from the local subnet:

# iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
  -m state --state NEW -m tcp -–dport N -j ACCEPT
# service iptables save

The commands to add a rule for a UDP port are similar:

# iptables -I INPUT -s subnet_addr/prefix_length -p udp \
  -m udp -–dport N -j ACCEPT
# service iptables save

The following table lists some ports that you might need to open in the firewall to allow access to various services.

Service

TCP Ports

UDP Ports

DNS (name service)

53

53

HTTP (web service)

80

-

HTTPS (secure web service)

443

-

IPP client (network printing)

-

631

IPP server (network printing)

631

631

Kerberos (authentication)

88, 464, 749

88, 464, 749

LDAP (directory service)

389

-

LDAPS (LDAP over SSL)

636

-

SMTP (email transport)

25

-

SSH (secure shell)

22

-

NFSv2 and NFSv3

111, 662*, 892*, 2049, 32803*

111, 662*, 892*, 2049, 32769*

NFSv4

2049

-

NIS (administrative databases)

111, 834

111, 834

OCFS2 (cluster file system)

7777

7777

Samba

139, 445

137, 138

* These ports used by NFSv2 and NFSv3 are determined by settings in /etc/sysconfig/nfs for LOCKD_TCPPORT, LOCKD_UDPPORT, MOUNTD_PORT, and STATD_PORT.