+ * xref:using-aide.adoc[Checking integrity with AIDE]

+ * xref:anaconda/anaconda.adoc[Anaconda]

+ ** xref:anaconda/anaconda_distros.adoc[Anaconda-based Distributions]

+ ** xref:anaconda/anaconda_updates.adoc[Anaconda Updates]

+ ** xref:anaconda/anaconda_logging.adoc[Anaconda Logging]

+ ** xref:anaconda/anaconda_product_image.adoc[Anaconda Product Image]

+ * xref:getting-started-with-apache-http-server.adoc[Getting started with Apache HTTP Server]

+ * xref:finding-and-installing-linux-applications.adoc[Finding and installing Linux applications]

+ * xref:installing-chromium-or-google-chrome-browsers.adoc[Installing Chromium or Google Chrome browsers]

+ * xref:switching-desktop-environments.adoc[Switching desktop environments]

+ * xref:fedora-and-red-hat-enterprise-linux.adoc[Difference between Fedora and Red Hat Enterprise Linux]

+ * xref:dnf.adoc[Using the DNF software package manager]

+ * xref:dnf-system-upgrade.adoc[Upgrading Fedora using the DNF system upgrade]

+ * xref:securing-the-system-by-keeping-it-up-to-date.adoc[Securing the system by keeping it up-to-date]

+ * xref:upgrading.adoc[Upgrading to a new release of Fedora]

+ * xref:firewalld.adoc[Controlling network traffic with firewalld]

+ * xref:iptables/overview.adoc[How to edit iptables rules]

+ ** xref:iptables/cli.adoc[Command Line Interface]

+ ** xref:iptables/tui.adoc[Text-based Interface]

+ ** xref:iptables/gui.adoc[Graphical User Interface]

+ * xref:using-adobe-flash.adoc[Using Adobe Flash]

+ * xref:adding-new-fonts-fedora.adoc[Adding new fonts in Fedora]

+ * xref:create-gpg-keys.adoc[Creating GPG Keys]

+ * xref:bootloading-with-grub2.adoc[Bootloading with GRUB2]

+ * xref:creating-and-using-a-live-installation-image.adoc[Creating and using a live installation image]

+ * xref:installing-java.adoc[Installing Java]

+ == Command Line Interface

+ === Changes to iptables Rules

+ The following procedures allow for changes in the behaviour of the firewall

+ while it is running. It is important to understand that every change

+ is applied immediately.

+ Read the man pages (`man iptables`) for further explanations

+ and more sophisticated examples.

+ Currently running iptables rules can be viewed with the command:

+ # iptables -L

+ The following example shows four rules. These rules permit

+ established or related connections, any ICMP traffic, any local traffic as

+ well as incoming connections on port 22. Please note that the output has

+ no indication that the third rule applies only to local traffic. Therefore

+ you might want to add the `-v` option. This will reveal that the rule only

+ applies to traffic on the loopback interface.

+ Also remember that rules are applied in order of appearance and that after the

+ first match, no further rules are considered (there are exceptions, please refer

+ to the man pages for details). For example, in case there is a rule rejecting

+ ssh connections and subsequently a second rule permitting ssh connections, the

+ first rule would be applied to incoming ssh connections while the latter would

+ never be evaluated.

+ The following adds a rule at the end of the specified chain of iptables:

+ Notice the last line in the INPUT chain. There are now five rules.

+ To delete a rule you need to know its position in the chain. The following will

+ delete the rule from the previous example. To do so, the rule in the fifth

+ position has to be deleted:

+ You can also insert rules at a specific position. To insert a rule at the top

+ (i.e. first) position, use:

+ The number given after the chain name indicates the position of your new rule

+ *after* the insertion. So, for example, if you want to insert a rule at the

+ third position, you specify the number 3. Afterwards your new rule is at

+ position 3, while the old rule from position 3 is now shifted to position 4.

+ Rules may be specified to replace existing rules in the chain.

+ In the previous example, the first rule grants access to tcp port 80 from

+ any source. To restrict the access to sources within a local net, the following

+ command replaces the first rule:

+ To flush or clear all iptables rules, use the `--flush`, `-F` option:

+ # iptables -F <chain>

+ Specifying a chain is optional. Without a given chain, all chains

+ are flushed. Remember that the new rule set is immediately active.

+ Depending on the default policies, you might loose access to a remote machine

+ by flushing the rules.

+ To flush all rules in the OUTPUT chain use:

+ # iptables -F OUTPUT

+ All changes to iptables rules using the CLI commands will be lost upon system

+ reboot. However, `iptables` comes with two useful utilities:

+ `iptables-save` and `iptables-restore`.

+ `iptables-save` prints a dump of current rule set to *stdout*. This may be

+  redirected to a file:

+ Use `iptables-restore` to restore a dump of rules made by `iptables-save`.

+ changed by setting `IPTABLES_SAVE_ON_STOP="yes"` or

+ `IPTABLES_SAVE_ON_RESTART="yes"` in `/etc/sysconfig/iptables-config`. If

+ these values are set, the configuration will be automatically dumped to

+ `/etc/sysconfig/iptables` and `/etc/sysconfig/ip6tables` for IPv4 and IPv6

+ respectively.

+ If you prefer, you may edit these files directly. Restart the iptables

+ service or restore the rules to apply your changes. The rules are in the same

+ format as you would specify them on the command line:

+ *filter

+ :INPUT DROP [157:36334]

+ :FORWARD ACCEPT [0:0]

+ :OUTPUT ACCEPT [48876:76493439]

+ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+ -A INPUT -p icmp -j ACCEPT

+ -A INPUT -i lo -j ACCEPT

+ COMMIT

+ The numbers in brackets are counters and usually you don't have to mangle them.

+ If needed, you can reset packet and byte counters using the `-Z` or `--zero`

+ option:

+ # iptables -Z <chain> <rule_number>

+ It is possible to reset only a single rule counter. This might become handy

+  if you want to know how many packets were captured for a specific rule. 

+ == Graphical User Interface

+ 

+ There are several graphical user interfaces available to configure iptables.

+ 

+ * link:http://www.fwbuilder.org/_fwbuilder[fwbuilder]: Very complete GUI tools

+  to configure iptables.

+ * link:http://shorewall.net/_Shorewall[Shorewall]: Another very complete GUI

+ like fwbuilder.

+ * link:http://www.turtlefirewall.com/_Turtle_firewall_project[Turtle firewall

+ project]: Web interface and integrated to webmin. But it can not handle all

+ iptables options.

+ * link:http://users.telenet.be/stes/ipmenu.html_IPmenu[IPmenu] :A console based

+ interface that covers all iptables functionality.

+ 

+ The following section describes yet another frontend: `system-config-firewall`.

+ 

+ === system-config-firewall

+ 

+ The GUI interface is similar to the text based interface just more friendly.

+ 

+ The first time you start the GUI you will receive a warning. The program will

+ *not* load your custom configuration. So any preexisting rules will be

+ overwritten.

+ 

+ image:Firewall_GUI_First_Time_Startup.PNG[First time

+ startup message,title="fig:First time startup message"]

+ 

+ Before you start, you have to enable your firewall to activate the

+ configuration utility.

+ 

+ image:FireWwall_GUI_startup.PNG[Firewall Gui startup

+ screen,title="Firewall Gui startup screen"]

+ 

+ The initial configuration is empty and will not allow any network traffic.

+ 

+ image:No_configuration.PNG[No firewall

+ configuration,title="No firewall configuration"]

+ 

+ You can ignore the warning and start the wizard. Click _forward_:

+ 

+ image:Firewall_Wizard.PNG[Firewall Wizard : welcome

+ screen,title="Firewall Wizard : welcome screen"]

+ 

+ Choose _System with network access_ to enable the firewall. The other option

+ _System without network access_ would disable the firewall and don't allow

+ access to any network.

+ 

+ image:Firewall_Wizard_2.PNG[Firewall Wizard : network

+ access?,title="Firewall Wizard : network access?"]

+ 

+ Next, you have to choose your skill level. The *Beginner* options only

+ allows the configuration of _trusted services_. This option is fine if you only

+ want to use services like _ftp_, _dns_, _http_, etc. It does not allow you to

+ configure customs port ranges.  If you select *Expert*, you will have access to

+ firewall options. You can change the skill level later via _Options_ in the

+ main window.

+ 

+ image:Firewall_Wizard_3.PNG[Firewall Wizard :

+ skill?,title="Firewall Wizard : skill?"]

+ 

+ You can choose from a set of default configurations to start with. The *Server*

+ template will only enable SSH on the firewall. The _desktop template_ enables

+ additional ports (_IPsec_, _multicast DNS_, _Network Printing Client_ and

+ _SSH_). For convenience select *Desktop* and continue:

+ 

+ image:Firewall_Wizard_4.PNG[Firewall Wizard : configuration

+ base?,title="Firewall Wizard : configuration base?"]

+ 

+ To enable additional _trusted services_ just choose the services from the list.

+ 

+ image:Firewall_Wizard_5.PNG[Firewall Main interface :

+ enabled,title="Firewall Main interface : enabled"]

+ 

+ You can add custom rules after choosing *Other ports* from the side bar. Click

+ the *Add* button and either choose form services list on the right or tick

+ *User Defined* and fill in the requested information.

+ 

+ image:Firewall_GUI_other_ports.PNG[Firewall GUI : edit other ports

+ rules.,title="Firewall GUI : edit other ports rules."]

+ 

+ The other options in the sidebar *Trusted Interfaces*, *Masquerading*, *Port

+ Forwarding* and so on work exactly as in the text based interface.

+ 

+ When you finished the configuration, click *Apply* to save and activate the

+ firewall. 

+ = How to edit iptables rules

+ 

+ In this how-to, we will illustrate three ways of editing iptables rules, via:

+ 

+ * xref:iptables/cli.adoc[Command line interface] (CLI) `iptables` and system configuration file

+ `/etc/sysconfig/iptables`.

+ * xref:iptables/tui.adoc[Text-based interfaces] (TUI) `setup` or `system-config-firewall-tui`

+ * xref:iptables/gui.adoc[Graphical user interface](GUI) `system-config-firewall`

+ 

+ NOTE: This how-to illustrates editing existing iptables rules, not the

+ initial creation of rules chains. 

+ == Text-based User Interface

+ 

+ There are two ways to manage iptables rules using a text-based user

+ interface. These are `setup` and `system-config-firewall-tui`. If you start

+ `setup`, you will see something similar to the following:

+ 

+ image:Firewall-tui.PNG[setup menu

+ utility,title="setup menu utility",width=700]

+ 

+ If you select "Firewall configuration" you will see the screen below. You could

+ also invoke `system-config-firewall-tui`. This will take you directly to the

+ same screen. Make sure that "Firewall" is enabled, otherwise you cannot edit its

+ rule set. Continue by selecting "Customize":

+ 

+ image:First_menu_firewall_tui.PNG[Firewall Configuration by TUI. First

+ screen.,title="Firewall Configuration by TUI. First screen.",width=700]

+ 

+ There is a good chance, that a service you want to modify is part of the

+ list of standard "trusted services". Select the services you want to

+ trust (i.e. open their ports) and press "Forward". (This has to be read as

+ "next", it has nothing to do with port forwarding):

+ 

+ image:Firewall_TUI_Trusted_services.PNG[Editing trusted service with

+ firewall tui

+ interface.,title="Editing trusted service with firewall tui interface.",width=700]

+ 

+ The "Other ports" menu lets you open additional ports which are not in the list

+ of standard trusted services:

+ 

+ image:Firewall_TUI_other_ports.PNG[Editing Other ports on firewall

+ configuration by TUI

+ interface.,title="Editing Other ports on firewall configuration by TUI interface.",width=700]

+ 

+ To add other ports, specify one port or a port range. Choose between

+ _tcp_ and _udp_ for the protocol. The port range format is: _beginningPort

+ - endingPort_.

+ 

+ The "Trusted interfaces" menu allows you to trust all traffic on a network

+ interface. All traffic will be allowed and the port filtering rules will

+ never apply. You should only select interfaces which face private

+ networks. Never trust an interface that deals with traffic from networks which

+ are not under your full control.

+ 

+ image:Firewall_TUI_trusted_interfaces.PNG[Trusted

+ interfaces.,title="Trusted interfaces.",width=700]

+ 

+ The masquerading menu lets you select an interface to be masqueraded.

+ Masquerading is better known as

+ *http://en.wikipedia.org/wiki/Network_address_translation[NAT]* (Network

+ Address Translation). It is useful, to setup your computer as a gateway

+ between different networks:

+ 

+ image:Firewall_TUI_masquerading.PNG[Firewall TUI interface :

+ masquerading.,title="Firewall TUI interface : masquerading.",width=700]

+ 

+ Port forwarding, also known as

+ *http://en.wikipedia.org/wiki/Network_address_translation#Port_address_translation[PAT]*

+ (Port Address Translation), permits traffic from one port to be "rerouted" to

+ another port.

+ 

+ image:Firewall_TUI_Port_Forwarding.PNG[Firewall TUI interface :

+ configuring Port

+ Forwarding.,title="Firewall TUI interface : configuring Port Forwarding.",width=700]

+ 

+ You have to specify source and destination, as well as the interface and protocol

+ accordingly:

+ 

+ image:Firewall_TUI_Port_Forwarding_Adding.PNG[Firewall TUI : adding port

+ forwarding

+ rules.,title="Firewall TUI : adding port forwarding rules.",width=700]

+ 

+ The ICMP Filter menu lets you reject various types of ICMP packets. By

+ default, no limitations are made. You may define rules to reject

+ ICMP traffic, define the return type to ICMP request, etc.

+ 

+ image:Firewall_TUI_ICMP_Filter.PNG[Firewall TUI: configuring ICMP

+ behaviour.,title="Firewall TUI: configuring ICMP behaviour.",width=700]

+ 

+ Finally, you can add custom firewall rules. These must be prepared ahead

+ of time in files that use the same format for the command line interface.

+ 

+ image:Firewall_TUI_Custom_Rules.PNG[Firewall TUI: create custom

+ rules.,title="Firewall TUI: create custom rules.",width=700]

+ 

+ For adding custom rules you have specify the protocol (i.e. _ipv4_ or

+ _ipv6_) and the table you want your rules add to (_filter_, _mangle_, _nat_,...)

+ and - of course - the file containing your rules:

+ 

+ image:Firewall_TUI_Custom_Rules_Adding.PNG[Firewall TUI: adding a custom

+ rules.,title="Firewall TUI: adding a custom rules.",width=700]

+ 

+ When you have completed all menus, choose "Close" to resume to the first screen.

+ Select "OK" and confirm your changes by choosing "Yes". If you choose "No" you

+ will get back the configuration screen with no changes applied to your

+ firewall.

+ 

+ image:Firewall_TUI_Warning.PNG[Firewall TUI

+ warning.,title="Firewall TUI warning.",width=700]