How To Install Iptables Firewall In CentOS 7 Linux

Are you used to the classic iptables firewall and want to kill firewalld? Well there’s still hope for you yet! Here we will show you how to stop and disable the default firewalld firewall and instead install and configure iptables in CentOS 7 Linux.

It’s worth noting that iptables and firewalld are mutually exclusive, only one should be running at any one time. Therefore, if we wish to use either firewalld or iptables we should ensure that the opposite service is completely stopped, disabled, and masked so that it will not interfere.

Disable Firewalld

By default in CentOS 7 Linux, the firewalld firewall will be configured to start up automatically during boot. As we can only run either firewalld or iptables at any one time, we will first disable firewalld.

[[email protected] ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

This disables firewalld from starting automatically on system boot, however it does not stop the current running instance of firewalld from running, so we do that next.

[[email protected] ~]# systemctl stop firewalld

While firewalld will no longer start automatically at boot and is not currently running, it can still be started manually by command line. To prevent this, we mask the service as shown below.

[[email protected] ~]# systemctl mask firewalld
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.

We are now ready to install and configure iptables.

Enable Iptables

In my default installation of CentOS 7 I already have the iptables package installed which can be used to run the iptables command, however we also need to install iptables-services in order to have iptables start automatically on system boot.

[[email protected] ~]# yum install iptables-services -y

We will now check the status of iptables, as shown below after a clean install it will not be currently running and will be set to disabled, that is it will not start automatically on system boot.

[[email protected] ~]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

After the installation is complete, we will configure iptables to start automatically on system boot.

[[email protected] ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

Next we will start iptables, activating the firewall.

[[email protected] ~]# systemctl start iptables

Now if we check the status of iptables, we should see that it is both actively running, and enabled to start on system boot.

[[email protected] ~]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Tue 2016-12-27 02:54:27 PST; 1min 52s ago
  Process: 44351 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 44351 (code=exited, status=0/SUCCESS)

Dec 27 02:54:27 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
Dec 27 02:54:27 localhost.localdomain iptables.init[44351]: iptables: Applying firewall rules: [  OK  ]
Dec 27 02:54:27 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.

You can now configure the iptables firewall as usual by modifying the /etc/sysconfig/iptables file. We can confirm this is the correct file to use by using the rpm -qc command against the iptables-services package that we installed earlier, as this will list all default configuration files associated with the package.

[[email protected] ~]# rpm -qc iptables-services
/etc/sysconfig/ip6tables
/etc/sysconfig/iptables

Note that you will also need to start and enable ip6tables for IPv6, as iptables only supports IPv4. Likewise IPv6 specific firewall configuration should be set within the /etc/sysconfig/ip6tables file.

Each of these files contains default configuration to allow TCP port 22 in from any source IP address, so you don’t have to worry about locking yourself out of SSH access during the configuration.

If you make any changes to either of these files, be sure to restart iptables to apply the changes.

[[email protected] ~]# systemctl restart iptables

Summary

We have shown you how to easily disable firewalld in CentOS 7 Linux and instead install and configure the classic iptables firewall. Note that iptables is considered deprecated in CentOS 7, so going forward it’s probably worth taking the time to learn how to use firewalld.

  1. Thank you for this about iptables. The problem is not to install iptables, the problem is to have iptables running after reboot. And i can’t find how to have iptables working after reboot. Of course i can have iptables working if i do “service iptables start” or “systemctl restart iptables”, but no way to have iptables working after reboot. Of course i have an iptables.service inside /etc/systemd, but nothing happens and i don’t find any errors inside /var/log
    If you have any advice I’ll appreciate it.
    regards
    carlos

    • Hey, did you try running “systemctl enable iptables”? This enables the iptables service to start up automatically on system boot. It’s basically the way of doing chkconfig on in CentOS 6 in CentOS 7.

  2. Marcello Carvalho

    Hi, after install iptables on my centos 7 server and import my old rules, i can’t find logs anymore, do you have any idea qhat happend?

  3. Logging Example:
    -A INPUT ! -d 255.255.255.255/32 -m limit –limit 10/sec -j LOG –log-prefix “INPT ”

    >>> /var/log/messages
    Nov 20 21:48:09 c999943030-cloudpro-841440887 kernel: INPT IN=ens33 OUT= MAC=00:50:56:95:7b:02:00:18:b9:6c:85:3f:08:00 SRC=185.190.58.237 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=24025 PROTO=TCP SPT=45264 DPT=3392 WINDOW=1024 RES=0x00 SYN URGP=0
    Nov 20 21:49:03 c999943030-cloudpro-841440887 kernel: INPT IN=ens33 OUT= MAC=00:50:56:95:7b:02:00:18:b9:6c:85:3f:08:00 SRC=77.72.82.145 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54864 PROTO=TCP SPT=51892 DPT=2980 WINDOW=1024 RES=0x00 SYN URGP=0

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>