Lampros - Weird Bricks

CentOS 7 - where did my iptables go ?

25 March, 2017 | CentOS

Let me make something clear. I'm not a fan of systemd. I'm learning how to use it but I don't like it still. 

So check this weirdness out. CentOS 7 comes with the iptables command in a default installation:

cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core)

Here's iptables - installed already:

iptables --version
iptables v1.4.21

You can view the iptables ruleset in the usual way:

iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 1934 packets, 10M bytes)
num pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1562 packets, 113K bytes)
num pkts bytes target prot opt in out source destination

But you can't start it:

systemctl start iptables
Failed to start iptables.service: Unit iptables.service failed to load: No such file or directory.

I have no idea how this makes sense, but it appears that there is now a new kid on the block called firewalld. I figured firewalld was a brand new firewall implementation but it turns out it's just a frontend for everything else - from wikipedia: https://en.wikipedia.org/wiki/FirewallD.

I quote:

"FirewallD is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the iptables packet filtering system provided by the Linux kernel.[2] The name firewalld adheres to the Unix convention of naming system daemons by appending the letter “d”.[3]"

Since I'm more familiar with iptables, the idea of learning a new frontend doesn't sit well with me, so as you can imagine I wanted to switch to the "classic" iptables as soon as possible.

Google to the rescue and StackOverflow has an excellent answer on how to do this, I shamelessly copy pasted it here so I have it handy for future reference.

All credit for this goes to: http://stackoverflow.com/a/24827438

"It is possible to go back to a more classic iptables setup. First, stop and mask the firewalld service:

systemctl stop firewalld
systemctl mask firewalld

Then, install the iptables-services package:

yum -y install iptables-services

Enable the service at boot-time:

systemctl enable iptables

Managing the service

systemctl [stop|start|restart] iptables

Saving your firewall rules can be done as follows:

service iptables save

or

/usr/libexec/iptables/iptables.init save
"
 

OK - this works great. Just don't forget, to do the same for ip6tables!

systemctl enable ip6tables

Where are the config files?

I'm sure I'll forget this later - in case you're looking for the actual iptables configuration files they're here:

IPv4: /etc/sysconfig/iptables

IPv6: /etc/sysconfig/ip6tables

One more thing before you close this page!

Once you install the iptables-services package and fired the systemctl enable iptables , you do get a default firewall on the next reboot! So if say, you are using a custom SSH port, you need to update your configuration files to allow access otherwise you will find yourself locked out!

To be verbose, this is what I got after a reboot:

iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 64 8719 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 1 80 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 23 1380 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 6 943 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 98 packets, 9423 bytes)
num pkts bytes target prot opt in out source destination