Are you used to the classic iptables firewall and want to kill firewalld? Well there’s still hope for you yet! Here we will show you how to stop and disable the default firewalld firewall and instead install and configure iptables in CentOS 7 Linux.
It’s worth noting that iptables and firewalld are mutually exclusive, only one should be running at any one time. Therefore, if we wish to use either firewalld or iptables we should ensure that the opposite service is completely stopped, disabled, and masked so that it will not interfere.
By default in CentOS 7 Linux, the firewalld firewall will be configured to start up automatically during boot. As we can only run either firewalld or iptables at any one time, we will first disable firewalld.
[[email protected] ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
This disables firewalld from starting automatically on system boot, however it does not stop the current running instance of firewalld from running, so we do that next.
[[email protected] ~]# systemctl stop firewalld
While firewalld will no longer start automatically at boot and is not currently running, it can still be started manually by command line. To prevent this, we mask the service as shown below.
[[email protected] ~]# systemctl mask firewalld Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
We are now ready to install and configure iptables.
In my default installation of CentOS 7 I already have the iptables package installed which can be used to run the iptables command, however we also need to install iptables-services in order to have iptables start automatically on system boot.
[[email protected] ~]# yum install iptables-services -y
We will now check the status of iptables, as shown below after a clean install it will not be currently running and will be set to disabled, that is it will not start automatically on system boot.
[[email protected] ~]# systemctl status iptables iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled) Active: inactive (dead)
After the installation is complete, we will configure iptables to start automatically on system boot.
[[email protected] ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
Next we will start iptables, activating the firewall.
[[email protected] ~]# systemctl start iptables
Now if we check the status of iptables, we should see that it is both actively running, and enabled to start on system boot.
[[email protected] ~]# systemctl status iptables iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled) Active: active (exited) since Tue 2016-12-27 02:54:27 PST; 1min 52s ago Process: 44351 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Main PID: 44351 (code=exited, status=0/SUCCESS) Dec 27 02:54:27 localhost.localdomain systemd: Starting IPv4 firewall with iptables... Dec 27 02:54:27 localhost.localdomain iptables.init: iptables: Applying firewall rules: [ OK ] Dec 27 02:54:27 localhost.localdomain systemd: Started IPv4 firewall with iptables.
You can now configure the iptables firewall as usual by modifying the /etc/sysconfig/iptables file. We can confirm this is the correct file to use by using the rpm -qc command against the iptables-services package that we installed earlier, as this will list all default configuration files associated with the package.
[[email protected] ~]# rpm -qc iptables-services /etc/sysconfig/ip6tables /etc/sysconfig/iptables
Note that you will also need to start and enable ip6tables for IPv6, as iptables only supports IPv4. Likewise IPv6 specific firewall configuration should be set within the /etc/sysconfig/ip6tables file.
Each of these files contains default configuration to allow TCP port 22 in from any source IP address, so you don’t have to worry about locking yourself out of SSH access during the configuration.
If you make any changes to either of these files, be sure to restart iptables to apply the changes.
[[email protected] ~]# systemctl restart iptables
We have shown you how to easily disable firewalld in CentOS 7 Linux and instead install and configure the classic iptables firewall. Note that iptables is considered deprecated in CentOS 7, so going forward it’s probably worth taking the time to learn how to use firewalld.