Enabling firewall on a public server (i.e. server accessible from the internet) 1) Use system-config-securitylevel command to configure basic firewall. 2) Do basic ssh checking (try to login to the server from visitor network). 3) Fine tune the firewall settings/Allow access ONLY to required ports/services. 4) chkconfig iptables on 5) Test again from visitor network and ensure required services are accessible and non-required services are NOT accessible. In the following example we are opening firewall for 22 (ssh), 4812 (archive engine), 3306 (MySQL), UDP+TCP 5064 (one IOC) and for 61616 port for JMS. # system-config-securitylevel Click on Apply and exit. This will create /etc/sysconfig/iptables file. # service iptables start Check ssh access from visitor network. Fine tune the firewall/Lockdown everything except what is permitted. Do this by editing /etc/sysconfig/iptables file. # cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT #-A RH-Firewall-1-INPUT -p 50 -j ACCEPT #-A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT #-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4812 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4812 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5064 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5064 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 61616 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 61616 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited Normally /etc/sysconfig/iptables-config would look like this # cat /etc/sysconfig/iptables-config | grep -v "^#" | grep -v "^$" IPTABLES_MODULES=" ip_conntrack_netbios_ns " IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" IPTABLES_STATUS_NUMERIC="yes" IPTABLES_STATUS_VERBOSE="no" IPTABLES_STATUS_LINENUMBERS="yes" To enable iptables at boot time issue command – # chkconfig iptables on To start iptables – # service iptables start Minor issues - “service iptables start” command won’t start iptables ! Probable cause - /etc/sysconfig/iptables file missing. Just for troubleshooting you can create it by issuing command “touch /etc/sysconfig/iptables” Or you get this file created by issuing “system-configsecuritylevel” command and selecting the defaults.