Are you used to the classic iptables firewall and want to kill firewalld? Well there’s still hope for you yet! Here we will show you how to stop and disable the default firewalld firewall and instead install and configure iptables in CentOS 7 Linux.
It’s worth noting that iptables and firewalld are mutually exclusive, only one should be running at any one time. Therefore, if we wish to use either firewalld or iptables we should ensure that the opposite service is completely stopped, disabled, and masked so that it will not interfere.
Disable Firewalld
By default in CentOS 7 Linux, the firewalld firewall will be configured to start up automatically during boot. As we can only run either firewalld or iptables at any one time, we will first disable firewalld.
[root@centos7 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
This disables firewalld from starting automatically on system boot, however it does not stop the current running instance of firewalld from running, so we do that next.
[root@centos7 ~]# systemctl stop firewalld
While firewalld will no longer start automatically at boot and is not currently running, it can still be started manually by command line. To prevent this, we mask the service as shown below.
[root@centos7 ~]# systemctl mask firewalld
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
We are now ready to install and configure iptables.
Enable Iptables
In my default installation of CentOS 7 I already have the iptables package installed which can be used to run the iptables command, however we also need to install iptables-services in order to have iptables start automatically on system boot.
[root@centos7 ~]# yum install iptables-services -y
We will now check the status of iptables, as shown below after a clean install it will not be currently running and will be set to disabled, that is it will not start automatically on system boot.
[root@centos7 ~]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
After the installation is complete, we will configure iptables to start automatically on system boot.
[root@centos7 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
Next we will start iptables, activating the firewall.
[root@centos7 ~]# systemctl start iptables
Now if we check the status of iptables, we should see that it is both actively running, and enabled to start on system boot.
[root@centos7 ~]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Tue 2016-12-27 02:54:27 PST; 1min 52s ago
Process: 44351 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 44351 (code=exited, status=0/SUCCESS)
Dec 27 02:54:27 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
Dec 27 02:54:27 localhost.localdomain iptables.init[44351]: iptables: Applying firewall rules: [ OK ]
Dec 27 02:54:27 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
You can now configure the iptables firewall as usual by modifying the /etc/sysconfig/iptables file. We can confirm this is the correct file to use by using the rpm -qc command against the iptables-services package that we installed earlier, as this will list all default configuration files associated with the package.
[root@centos7 ~]# rpm -qc iptables-services
/etc/sysconfig/ip6tables
/etc/sysconfig/iptables
Note that you will also need to start and enable ip6tables for IPv6, as iptables only supports IPv4. Likewise IPv6 specific firewall configuration should be set within the /etc/sysconfig/ip6tables file. Each of these files contains default configuration to allow TCP port 22 in from any source IP address, so you don’t have to worry about locking yourself out of SSH access during the configuration. If you make any changes to either of these files, be sure to restart iptables to apply the changes.
[root@centos7 ~]# systemctl restart iptables
Summary
We have shown you how to easily disable firewalld in CentOS 7 Linux and instead install and configure the classic iptables firewall. Note that iptables is considered deprecated in CentOS 7, so going forward it’s probably worth taking the time to
learn how to use firewalld.
Hello, my name is Jack Sparrow. I'm a 50 year old self-employed Pirate from the Caribbean.
No comments:
Post a Comment