Disabling Firewalld in CentOS7

CentOS7 by default uses Firewalld as network filter. It’s a kind of add-on over Iptables. According to its description it has quite wide functionality and usability.

But I prefer to work with Iptables rules directly. It’s more understandable for me when I write all rules by myself. But it is individual for each, I can’t bring any pro or con of using Firewalld.

So that after CentOS7  distribution installation I always disable Firewalld and use only Iptables. It’s easy.

Stop Firewalld service:

[root@centos7x64 ~]# systemctl stop firewalld
[root@centos7x64 ~]#

Disable it:

[root@centos7x64 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

Installing Iptables service:

[root@centos7x64 sysconfig]# yum -y install iptables-services
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.maxus.pro
* epel: ftp.colocall.net
* extras: dedic.sh
* updates: mirror.maxus.pro
* webtatic: uk.repo.webtatic.com
Resolving Dependencies
–> Running transaction check
—> Package iptables-services.x86_64 0:1.4.21-18.2.el7_4 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

Package Arch Version Repository Size
iptables-services x86_64 1.4.21-18.2.el7_4 updates 51 k

Transaction Summary
Install 1 Package

Total download size: 51 k
Installed size: 25 k
Downloading packages:
iptables-services-1.4.21-18.2.el7_4.x86_64.rpm | 51 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : iptables-services-1.4.21-18.2.el7_4.x86_64 1/1
Verifying : iptables-services-1.4.21-18.2.el7_4.x86_64 1/1

iptables-services.x86_64 0:1.4.21-18.2.el7_4

[root@centos7x64 sysconfig]#


Installation creates  Iptables rules file at /etc/sysconfig/iptables. I recommend to check and modify it before you start Iptables service. It has default Allow rule which permits  connections to 22 TCP(SSH) port, but if your SSHD daemon listens at another port – then you should modify this rule or add new one, otherwise you can lose your conection to the server after starting Iptables. It’s because there is the last rule which drops all the inbound connections if they were not allowed by above rules(-A INPUT -j REJECT –reject-with icmp-host-prohibited).

Here is default file contents:

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited


Now we can start Iptables:

[root@centos7x64 sysconfig]# systemctl start iptables
[root@centos7x64 sysconfig]#

Those who use IPv6 can also start service for IPv6 rules with next commands:  systemctl enable ip6tables and systemctl start ip6tables.

That’s it. After server restart the service will take rules from mentioned file.

If you have modified rules, then you should restart the service to apply them.

[root@centos7x64 sysconfig]# systemctl restart iptables
[root@centos7x64 sysconfig]#

Also if you don’t add rules via the configuration file but you add them on-the-fly, then you have no need to restart the service. But just don’t forget to save your changes with iptables-save.

If you need more details about Iptables I recommend to visit Netfiler project’s site: http://www.netfilter.org/projects/iptables/index.html

In the end if you still want to use Firewalld you can find useful info here: http://www.firewalld.org/


Напишите комментарий

Your email address will not be published. Required fields are marked *