===== Iptables =====

We will remove firewalld and use iptables instead. However, we will not activate it now.

<code>
yum install iptables-services
systemctl disable firewalld.service
systemctl stop firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl start iptables.service
systemctl start ip6tables.service
</code>

Now save iptables state, in case of :

<code>
mkdir /etc/iptables
chmod -R 700 /etc/iptables
iptables-save > /etc/iptables/iptables.default
ip6tables-save > /etc/iptables/ip6tables.default
chmod 400 /etc/iptables/iptables.default
chmod 400 /etc/iptables/ip6tables.default
</code>

We will block everything and open ssh port (22) on second interface. IPv6 will not be used, so we block everything on it.
For repository server, we will open port 21 on first interface, and setup a passive mode for FTP.

<WRAP center round tip 60%>
Rules are interpreted in order. You need to put accept ssh rule before reject to all.
</WRAP>

Create file /etc/iptables/iptables.prod :

<code>
*filter

# Allow ping
-A INPUT -p icmp -j ACCEPT

# Allow all loopback (lo0)
-A INPUT -i lo -j ACCEPT

# Allow inbound traffic from established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow SSH connections on second interface (admin ssh)
-A INPUT -p tcp -m state -i enp0s8 --state NEW --dport 22 -j ACCEPT

# Allow FTP passive connections on first interface (repositories and pxe)
-A INPUT -p tcp -m state -i enp0s3 --state NEW --dport 21 -j ACCEPT
-A INPUT -i enp0s3 -p tcp -m tcp --dport 1024:65535 -m helper --helper ftp -m conntrack --ctstate RELATED -j ACCEPT

# Log incoming requests (optional) and reject all inbound
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -j REJECT

# Log forwarding requests (optional) and reject all forwarding
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A FORWARD -j REJECT

COMMIT
</code>

And /etc/iptables/ip6tables.prod :

<code>
*filter

# Reject all IPv6
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT
</code>

We can now configure iptables to use these rules:

<code>
iptables-restore < /etc/iptables/iptables.prod 
ip6tables-restore < /etc/iptables/ip6tables.prod 
service iptables save
service ip6tables save
</code>
Firewall rules are saved to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables.

More details can be found here:  https://www.linode.com/docs/security/securing-your-server

Is is configured. But for now, let's deactivate it, you will be able to activate it later (optional).

<code>
systemctl disable iptables.service
systemctl disable ip6tables.service
systemctl stop iptables.service
systemctl stop ip6tables.service
</code>


==== Repository iptables ====

Important: This part must be done __**after**__ the [[http://www.spheniscus.brennik.fr/doku.php/system/linux_cluster/core_setup#iptables|Ipatbles]] part of this tutorial, I put it here just to organize the page by services.

Now, for the ftp rule to work, we need to load module nf_conntrack_ftp, using :

<code>
modprobe nf_conntrack_ftp
</code>

Lets make it permanent. cd to **/etc/sysconfig/modules/** and create a new file **nf_conntrack_ftp.modules** :

<code>
#!/bin/sh
exec /sbin/modprobe nf_conntrack_ftp
</code>

You can check after a reboot the presence of the module using **lsmod**:

<code>
# lsmod 
[...]
nf_conntrack          105702  4 xt_helper,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
[...]
</code>

==== Dhcp iptables ====

You can now generate iptables, and do not forget to open the dhcp port in iptables, by adding this line under the ssh line :

<code>
# Allow DHCP connections on first interface
-A INPUT -p udp -m state -i enp0s3 --state NEW --dport 67:68 --sport 67:68 -j ACCEPT
</code>

Save the new rules into iptables and start the service.

==== Dns ipatbles ====

You can now generate iptables, and do not forget to open the dns port in iptables, by adding this line under the ssh line :

<code>
# Allow DNS connections on first interface
-A INPUT -p udp -m state -i enp0s3 --state NEW --dport 53 --sport 53 -j ACCEPT
</code>

Save the new rules into iptables and start the service.

==== PXE iptables ====

Do not forget to open the pxe port in iptables, by adding this line under the ssh line :

<code>
# Allow TFTP connections on first interface
-A INPUT -p udp -m state -i enp0s3 --state NEW --dport 69 -j ACCEPT
</code>

==== NTP iptables ====

iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT