Login/Register
How can I use iptables on centos 7? [closed]
Asked Answered
Solved networkingcentosiptablessystemd
C

9

154

I installed CentOS 7 with minimal configuration (os + dev tools). I am trying to open 80 port for httpd service, but something wrong with my iptables service ... what's wrong with it? What am I doing wrong? 

# ifconfig/sbin/service iptables save
bash: ifconfig/sbin/service: No such file or directory


# /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

# sudo service iptables status
Redirecting to /bin/systemctl status  iptables.service
iptables.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

# /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

# sudo service iptables start
Redirecting to /bin/systemctl start  iptables.service
Failed to issue method call: Unit iptables.service failed to load: No such file or directory.
Clericals answered 15/7, 2014 at 10:49 Comment(3)
try this /etc/init.d/iptables saveHogtie
I got the answer here. RHEL 7 uses firewalld instad of iptablesClericals
IMO firewalld is more user friendly than iptables. First install and start firewalld service sudo yum install -y firewalld && sudo systemctl start firewalld. Then add service HTTP sudo firewall-cmd --permanent --add-service=http (also add service https to open port 443 if needed). And finally load new configuration into firewalld sudo firewall-cmd --reloadJulie
L
343

With RHEL 7 / CentOS 7, firewalld was introduced to manage iptables. IMHO, firewalld is more suited for workstations than for server environments.

It is possible to go back to a more classic iptables setup. First, stop and mask the firewalld service:

systemctl stop firewalld
systemctl mask firewalld

Then, install the iptables-services package:

yum install iptables-services

Enable the service at boot-time:

systemctl enable iptables

Managing the service

systemctl [stop|start|restart] iptables

Saving your firewall rules can be done as follows:

service iptables save

or

/usr/libexec/iptables/iptables.init save
Literal answered 18/7, 2014 at 14:29 Comment(9)
It's not saving the iptables. Rebooting the server loses all changes.Involutional
On my system the iptables are saved correctly. Have you made sure the iptables service is started at boot? You can do this by running 'systemctl enable iptables'Literal
You may also have firewalld running which will add additional iptables rules to the list (every time you reboot the system). To stop firewalld run "systemctl mask firewalld"Pewter
Added the info about masking firewalld to the answer, as @Pewter suggestedLiteral
Great post, but do you think its worth investing in learning how firewalld or shorewall does things instead of iptables? (to me iptables just seems straight forward though)Dozer
@Dozer sure, it never hurts to diversify and learn new stuff, though never lose track of the basic commands and concepts that are used by the higher level tools that make life easy.Literal
@Literal Can you please elaborate on why you think fitewalld is not/less suitable for servers?Musso
After yum install iptables, when I do systemctl enable iptables, it shows me an error: "Failed to execute operation: No such file or directory". I'm logged in as root user. What could be the issue?Dunlop
@Dunlop iptables and iptables-service are two different things. You will have to do yum install iptables-services as well.Floorer
R
103

RHEL and CentOS 7 use firewall-cmd instead of iptables. You should use that kind of command:

# add ssh port as permanent opened port
firewall-cmd --zone=public --add-port=22/tcp --permanent

Then, you can reload rules to be sure that everything is ok

firewall-cmd --reload

This is better than using iptable-save, espacially if you plan to use lxc or docker containers. Launching docker services will add some rules that iptable-save command will prompt. If you save the result, you will have a lot of rules that should NOT be saved. Because docker containers can change them ip addresses at next reboot.

Firewall-cmd with permanent option is better for that.

Check "man firewall-cmd" or check the official firewalld docs to see options. There are a lot of options to check zones, configuration, how it works... man page is really complete.

I strongly recommand to not use iptables-service since Centos 7

Ruvolo answered 10/8, 2014 at 15:12 Comment(2)
firewall-cmd --reload is not working. I had to restart using "systemctl restart firewalld" for changes to take effect.Nodab
"Because firewalld is dynamic, changes to its configuration can be made at any time, and are implemented immediately. No part of the firewall needs to be reloaded, so there is no unintentional disruption of existing network connections" -- from the official firewalld docsWingate
C
18

I had the problem that rebooting wouldn't start iptables.

This fixed it:

yum install iptables-services
systemctl mask firewalld
systemctl enable iptables
systemctl enable ip6tables
systemctl stop firewalld
systemctl start iptables
systemctl start ip6tables
Cnut answered 4/8, 2014 at 3:23 Comment(1)
On CentOS 7 doesn't work: # systemctl start iptables gives Failed to start iptables.service: Unit not found. And # systemctl start ip6tables gives Failed to start ip6tables.service: Unit not found.Dunlop
C
18

Try the following command iptables-save.

Currie answered 11/9, 2014 at 14:30 Comment(2)
man iptables-save - dump iptables rules to stdout.Oloroso
then we can use iptables-save > /etc/sysconfig/iptablesEpididymis
Y
5

I modified the /etc/sysconfig/ip6tables-config file changing:

IP6TABLES_SAVE_ON_STOP="no"

To: 

IP6TABLES_SAVE_ON_STOP="yes"

And this:

IP6TABLES_SAVE_ON_RESTART="no"

To:

IP6TABLES_SAVE_ON_RESTART="yes"

This seemed to save the changes I made using the iptables commands through a reboot.

Yorick answered 7/10, 2014 at 22:24 Comment(1)
This doesn't work on RHEL 7.Therine
W
1

Put the IPtables configuration in the traditional file and it will be loaded after boot:

/etc/sysconfig/iptables

Whitmore answered 22/11, 2014 at 8:40 Comment(0)
W
1

Last month I tried to configure iptables on a LXC VM container, but every time after reboot the iptables configuration was not automatically loaded.

The only way for me to get it working was by running the following command:

yum -y install iptables-services; systemctl disable firewalld; systemctl mask firewalld; service iptables restart; service iptables save

Whitmore answered 5/4, 2017 at 6:53 Comment(1)
I believe that's because containers don't persist anything unless it's in a persistent volume on the host OS. Most of the container OS and config typically isn't in a volume, so is reset every time the container is restarted.Chronon
A
0

And to add, you should also be able to do the same for ip6tables after running the systemctl mask firewalld command:

    systemctl start ip6tables.service
    systemctl enable ip6tables.service
Aarhus answered 6/4, 2015 at 4:33 Comment(0)
L
0

If you do so, and you're using fail2ban, you will need to enable the proper filters/actions:

Put the following lines in /etc/fail2ban/jail.d/sshd.local

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 5
bantime = 86400

Enable and start fail2ban:

systemctl enable fail2ban
systemctl start fail2ban

Reference: http://blog.iopsl.com/fail2ban-on-centos-7-to-protect-ssh-part-ii/

Loveless answered 13/11, 2015 at 16:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.