CentOS7 by default uses Firewalld as network filter. It’s a kind of add-on over Iptables. According to its description it has quite wide functionality and usability.
But I prefer to work with Iptables rules directly. It’s more understandable for me when I write all rules by myself. But it is individual for each, I can’t bring any pro or con of using Firewalld.
So that after CentOS7 distribution installation I always disable Firewalld and use only Iptables. It’s easy.
Stop Firewalld service:
[[email protected] ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Installing Iptables service:
[[email protected] sysconfig]# yum -y install iptables-services
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.maxus.pro
* epel: ftp.colocall.net
* extras: dedic.sh
* updates: mirror.maxus.pro
* webtatic: uk.repo.webtatic.com
–> Running transaction check
—> Package iptables-services.x86_64 0:1.4.21-18.2.el7_4 will be installed
–> Finished Dependency Resolution
Package Arch Version Repository Size
iptables-services x86_64 1.4.21-18.2.el7_4 updates 51 k
Install 1 Package
Total download size: 51 k
Installed size: 25 k
iptables-services-1.4.21-18.2.el7_4.x86_64.rpm | 51 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Installing : iptables-services-1.4.21-18.2.el7_4.x86_64 1/1
Verifying : iptables-services-1.4.21-18.2.el7_4.x86_64 1/1
[[email protected] sysconfig]#
Installation creates Iptables rules file at /etc/sysconfig/iptables. I recommend to check and modify it before you start Iptables service. It has default Allow rule which permits connections to 22 TCP(SSH) port, but if your SSHD daemon listens at another port – then you should modify this rule or add new one, otherwise you can lose your conection to the server after starting Iptables. It’s because there is the last rule which drops all the inbound connections if they were not allowed by above rules(-A INPUT -j REJECT –reject-with icmp-host-prohibited).
Here is default file contents:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
Now we can start Iptables:
Those who use IPv6 can also start service for IPv6 rules with next commands: systemctl enable ip6tables and systemctl start ip6tables.
That’s it. After server restart the service will take rules from mentioned file.
If you have modified rules, then you should restart the service to apply them.
Also if you don’t add rules via the configuration file but you add them on-the-fly, then you have no need to restart the service. But just don’t forget to save your changes with iptables-save.
If you need more details about Iptables I recommend to visit Netfiler project’s site: http://www.netfilter.org/projects/iptables/index.html
In the end if you still want to use Firewalld you can find useful info here: http://www.firewalld.org/