24.9.6 Configuring a Packet-filtering Firewall

You can configure the Netfilter feature to act as a packet-filtering firewall that uses rules to determine whether network packets are received, dropped, or forwarded.

The primary interfaces for configuring the packet-filter rules are the iptables and ip6tables utilities and the Firewall Configuration Tool GUI (system-config-firewall). By default, the rules should drop any packets that are not destined for a service that the server hosts or that originate from networks other than those to which you want to allow access.

In addition, Netfilter provides Network Address Translation (NAT) to hide IP addresses behind a public IP address, and IP masquerading to alter IP header information for routed packets. You can also set rule-based packet logging and define a dedicated log file in /etc/syslog.conf.

For more information, see Section 24.3, “About Packet-filtering Firewalls”.