Configuring SELinux and iptables on Red Hat/CentOS Systems

SELinux is a security mechanism specific to Red Hat/CentOS systems, but because it is restrictive and complex to configure, many administrators disable it. To permanently disable SELinux, edit /etc/selinux/config and set SELINUX=disabled (the file also contains comments about the possible values enforcing , permissive , and disabled and the SELINUXTYPE=targeted setting). After saving the file, reboot the machine for the change to take effect.

For a temporary change, use setenforce 0 to switch to permissive mode, and verify the current state with getenforce , which will output Enforcing , Permissive , or Disabled .

iptables is the Linux firewall subsystem. Although its full capabilities are extensive, basic usage is essential for both network and system administrators. The default CentOS installation includes a set of rules that can be listed with iptables -nvL . Sample output shows the INPUT, FORWARD, and OUTPUT chains with packet counters, targets, protocols, and interfaces.

iptables operates with three tables:

filter : the default table used for packet filtering; contains INPUT, OUTPUT, and FORWARD chains.

nat : used for network address translation; includes PREROUTING, POSTROUTING, and OUTPUT chains.

mangle : used for packet marking; rarely needed for basic administration.

Basic syntax examples:

View a specific table: iptables -t nat -nvL

Clear all rules in the current table: iptables -F

Save the current rules: /etc/init.d/iptables save

Adding and deleting rules uses options such as -A (append), -I (insert), and -D (delete). Example to drop traffic from a host: iptables -A INPUT -s 10.72.11.12 -p tcp --sport 1234 -d 10.72.137.159 --dport 80 -j DROP . Insertion example: iptables -I INPUT -s 1.1.1.1 -j DROP . Deletion must match the exact rule: iptables -D INPUT -s 1.1.1.1 -j DROP .

Common options explained:

-A/-D : add or delete a rule.

-I : insert a rule (similar to -A ).

-p : specify protocol (tcp, udp, icmp).

--dport / --sport : destination/source ports (used with -p ).

-s / -d : source/destination IP or network.

-j : target action (ACCEPT, DROP, REJECT).

-i : specify input network interface.

To delete a specific rule by its line number, first list rules with numbers using iptables -nvL --line-numbers , then delete with iptables -D INPUT 1 (where 1 is the rule number).

Default policies are set with the uppercase -P option, e.g., iptables -P INPUT DROP . Caution is advised when changing the INPUT policy on a remote server, as it can lock you out.

An example script ( /usr/local/sbin/iptables.sh ) automates a typical setup:

#!/bin/bash
ipt="/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -s 192.168.137.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT

Running the script with sh /usr/local/sbin/iptables.sh installs the rules, which can be verified by iptables -nvL . The script also demonstrates how to enable NAT for internet sharing: enable IP forwarding with echo "1" > /proc/sys/net/ipv4/ip_forward and add a masquerade rule iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE .

To persist rules across reboots, use service iptables save (which writes to /etc/sysconfig/iptables ) or manually save with iptables-save > myipt.rule and restore with iptables-restore < myipt.rule . Stopping the iptables service with service iptables stop clears all rules and sets default policies to ACCEPT.