[Linux 文章收集] CentOS : Iptables Setup Firewall For a Web Server

來源自 這裡 
Preface: 
The default iptables configuration on CentOS or RHEL does not allow access to the HTTP (TCP PORT # 80) and HTTPS (TCP PORT # 443) ports used by the Apache web server. You can modify settings using any one of the following three methods. 

Method # 1: Edit /etc/sysconfig/iptables file (recommend for advanced users) 
Edit the IPv4 /etc/sysconfig/iptables, enter: 

# vi /etc/sysconfig/iptables # 加入下面紅色的部分

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 443 -j ACCEPT
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

# service iptables restart # Save and close the file. Restart the IPv4 iptables service.

Ps. 如果是 IPv6, 編輯 /etc/sysconfig/ip6tables 並使用命令 ip6tables 重啟. 

Method # 2: Firewall configuration GUI/TUI tool (recommend for new users) 
The sysystem-config-firewall-tui is a command line tool without having the GUI installed on the server: 
 
Select Enabled and Press Tab to select "Customization" : 

 
Scroll down/up and select SSH, WWW, Secure WWW (HTTPS) and other required ports you wish to open. Finally, select Close button. Finally, press OK button to activate new firewall settings. 

Method # 3: iptables command line utility (recommend for advanced/expert users only) 
Type the following iptables command as root user to open port 80 / 443: 

$ iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
$ iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
$ service iptables save # save newly added firewall rules 
$ iptables -L -n -v | egrep ":80|:443"
4197 5438K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:443

The following rule allows access to port 80 and 443 only to 192.168.1.0/24 

## Open port 80 and 443 for 192.168.1.0/24 subnet only ##
$ iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 80 -j ACCEPT
$ iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 443 -j ACCEPT

## save newly added firewall rules ##
$ service iptables save

## verify new firewall settings 
$ iptables -L -n -v | egrep -e ":80|:443"

Supplement: 
* HowTo Disable The Iptables Firewall in Linux 
* CentOS / Redhat Iptables Firewall Configuration Tutorial 
* Linux: 20 Iptables Examples For New SysAdmins 
* Linux Configure Firewall Using Shorewall Under RHEL / CentOS