netfilter Operation: Part Eight

Firewall Options tab in the Red Hat firewall configuration GUI.

Firewall Options tab in the Red Hat firewall configuration GUI.

While the console commands that are used to manipulate and configure netfilter are not very complicated, the can sometimes get rather lengthy. As the length of the command line grows, the chances of an accidental error increase. Alternatively, you may not like working on the command line, in which case there are a wide variety of GUI and menu-driven interfaces available for netfilter. In most cases, these menu-driven interfaces use your input to create the appropriate iptables commands, and alleviate you having to know the various switches and options to use. There are a large number of GUI interfaces available to configure your netfilter firewall. In general simpler also means less full featured, so be aware that if you are trying to create a complex ruleset, some GUIs may not have the needed functionality.

You can start the iptables GUI provided with Red Hat-based Linux distributions by navigating to System -> Administration -> Security Level and Firewall. You can also call the program directly by running system-config-securitylevel from a terminal window. While the interface looks nice, it is limited in what it can configure. Basically, all you can do with this GUI is permit or deny certain ports. Fedora Core 5 and subsequent versions of Fedora configures the INPUT and FORWARD chains to jump a custom chain named RH-Firewall-1-INPUT. There is no ability to differentiate between ports permitted in the INPUT chain or the FORWARD chain, because all rules configured through the GUI are applied to this custom chain.

Some services are pre-defined for you. Placing a check next to SSH and clicking OK and then Yes to commit the changes would create the following rule in the RH-Firewall-1-INPUT chain:

iptables -A RH-Firewall-1 INPUT -p tcp -m state –sate NEW -m tcp –dport 22 -j ACCEPT

By expanding Other ports on the Firewall Options tab, you can enter a custom port number.

Click Add, and enter the desired port number in the dialog box. Use the drop-down menu to select TCP or UDP for the protocol and click OK.

This creates a rule identical to the SSH rule. There are no other configuration options. While this interface is adequate for a home PC that isn’t running any services, it probably will not be adequate for a corporate firewall. If you need to configure access based on the interface in use or need to configure any NAT rules, you will need to use a different GUI. While you probably won’t be needing this particular GUI as a corporate firewall, it is still useful to be familiar with it if you are running any Linux systems as workstations.

External Links:

How to edit iptables rules at – includes a section on using the Red Hat GUI configuration tool

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy