In CentOS systems, iptables is a classic firewall tool. Administrators can precisely control access permissions to network services by adding, modifying, and deleting port rules. This article will systematically explain the specific methods and key points of these operations.

iptables organizes filtering policies through rule chains. The FILTER table is most commonly used for port control and contains three default chains: INPUT, FORWARD, and OUTPUT. Control over service ports is primarily implemented on the INPUT chain. Before starting any operation, you should first confirm the current firewall status and rule list. Executing the iptables -L -n -v command will display detailed rules for all chains, including traffic counts and rule numbers, providing a basis for subsequent modifications and deletions. To check if the firewall is enabled, you can use:

systemctl status iptables

or

service iptables status

Establishing port rules depends on explicitly specifying the protocol type. Most services are based on TCP or UDP protocols, so the -p tcp or -p udp parameters must be used when adding rules. For services that require opening both TCP and UDP ports simultaneously, two separate rules must be created.

Adding a single port is the most common requirement. For example, to open the default port 80 of a web server, the command can be:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Here, -A INPUT appends a rule to the INPUT chain, --dport 80 specifies the target port as 80, and -j ACCEPT sets the port to accept connections. For scenarios requiring restricted access from a specific source IP, the -s 192.168.1.100 parameter can be added to allow access only from that IP.

When opening a contiguous range of ports, this can be efficiently achieved with a single rule. For example, to open all TCP ports between 3000 and 4000:

iptables -A INPUT -p tcp --dport 3000:4000 -j ACCEPT

This is very useful when deploying complex applications that require multiple ports.

For multiple non-contiguous ports, there are two approaches. The traditional approach is to add multiple rules one by one. A more efficient approach is to use the multiport module, for example, to open ports 22, 80, and 443 simultaneously:

iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT

This method reduces the number of rules and improves firewall processing efficiency.

In a production environment, it is generally recommended to add rules to a specific position in the chain rather than simply appending them. Using:

iptables -I INPUT 3 -p tcp --dport 8080 -j ACCEPT

This inserts the rule into the third position of the INPUT chain, ensuring its priority. After opening the ports, connectivity should be tested immediately using telnet server IP port number or nc -zv server IP port number for verification.

Strictly speaking, iptables itself does not have a direct "modify" command. The standard procedure for modifying existing rules is: first delete the old rule, then add the new rule. Therefore, the ability to accurately delete rules is crucial.

There are three main methods for deleting rules. The safest way is to delete by using the complete rule description. This requires completely copying the original rule, only changing -A to -D. For example, to delete a previously added port 80 rule:

iptables -D INPUT -p tcp --dport 80 -j ACCEPT

This method avoids accidentally deleting other rules.

When the rule is complex or the complete description is unclear, you can delete it by rule number. First, use

iptables -L INPUT --line-numbers

to view the numbers of all rules in the INPUT chain, then use iptables -D INPUT rule_number to delete the specific rule. For example, iptables -D INPUT 2 will delete the second rule in the INPUT chain.

In complex scenarios, it may be necessary to delete all rules in batches. The iptables -F command can clear all rules in the selected chain; if no chain is specified, all chains are cleared. iptables -X deletes user-defined empty chains, and iptables -Z resets traffic counters to zero. These operations are typically used when resetting firewall rules.

In CentOS 6 and 7, iptables rules in memory are lost after a reboot and must be saved to a configuration file. In CentOS 6, the command to save is service iptables save, which writes the rules to the /etc/sysconfig/iptables file. In CentOS 7, since firewalld is used by default, using iptables requires additional steps: first, install the iptables-services package, then use

systemctl enable iptables

to enable the service, and finally save:

service iptables save

Another way to persist configurations is to use the iptables-save and iptables-restore tools. Executing

iptables-save > /etc/iptables.rules

exports the current rules to a file, which can be automatically restored by a script at system startup. More commonly, recovery commands are added to network initialization scripts or cron jobs.

Port management should follow the principle of least privilege. For example, management ports such as SSH port 22 should restrict the source IP range:

iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT

Simultaneously, the default policy must be set to DROP:

iptables -P INPUT DROP

and

iptables -P FORWARD DROP

However, the OUTPUT chain is usually set to ACCEPT to ensure the server can respond normally.

The order of rules directly affects firewall behavior. iptables matches rules sequentially, stopping once the first matching rule takes effect. Therefore, specific allow rules should be placed first, followed by broad deny rules. A common mistake is placing iptables -A INPUT -j DROP before allow rules, causing all traffic to be blocked.

For scenarios requiring temporary disabling of the entire firewall, all rules can be cleared and the default policy set to ACCEPT: iptables -F, iptables -X, iptables -P INPUT ACCEPT, etc. However, a safer approach is to temporarily open ports only for specific IPs and restore them immediately after the operation.

When debugging firewall issues, viewing detailed logs is very helpful. Adding the parameter -j LOG --log-prefix "IPTABLES: " will record packet information matching the rules to the system log. Simultaneously, monitoring /var/log/messages or journalctl -f allows for real-time observation of firewall blocking activity.

In summary, iptables port management on CentOS requires a systematic workflow: starting with checking the status, accurately adding rules, modifying them by "deleting first and then adding" when necessary, carefully performing deletion operations, and finally ensuring persistent storage. The effect should be tested after each change, and the impact of rule order on the policy should be considered. These operations collectively constitute the basic guarantee of server network security.