How can i use iptables on centos 7?
I installed CentOS 7 with minimal configuration (os + dev tools). I am trying to open 80 port for httpd service, but something wrong with my iptables service ... what's wrong with it? What am I doing wrong?
# ifconfig/sbin/service iptables save bash: ifconfig/sbin/service: No such file or directory # /sbin/service iptables save The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl. # sudo service iptables status Redirecting to /bin/systemctl status iptables.service iptables.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) # /sbin/service iptables save The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl. # sudo service iptables start Redirecting to /bin/systemctl start iptables.service Failed to issue method call: Unit iptables.service failed to load: No such file or directory.
With RHEL 7 / CentOS 7, firewalld was introduced to manage iptables. IMHO, firewalld is more suited for workstations than for server environments.
It is possible to go back to a more classic iptables setup. First, stop and mask the firewalld service:
systemctl stop firewalld systemctl mask firewalld
Then, install the iptables-services package:
yum install iptables-services
Enable the service at boot-time:
systemctl enable iptables
Managing the service
systemctl [stop|start|restart] iptables
Saving your firewall rules can be done as follows:
service iptables save
RHEL and CentOS 7 use firewall-cmd instead of iptables. You should use that kind of command:
# add ssh port as permanent opened port firewall-cmd --zone=public --add-port=22/tcp --permanent
Then, you can reload rules to be sure that everything is ok
This is better than using iptable-save, espacially if you plan to use lxc or docker containers. Launching docker services will add some rules that iptable-save command will prompt. If you save the result, you will have a lot of rules that should NOT be saved. Because docker containers can change them ip addresses at next reboot.
Firewall-cmd with permanent option is better for that.
Check "man firewall-cmd" or check the official firewalld docs to see options. There are a lot of options to check zones, configuration, how it works... man page is really complete.
I strongly recommand to not use iptables-service since Centos 7
I had the problem that rebooting wouldn't start iptables.
This fixed it:
yum install iptables-services systemctl mask firewalld systemctl enable iptables systemctl enable ip6tables systemctl stop firewalld systemctl start iptables systemctl start ip6tables
Try the following command iptables-save.
I modified the /etc/sysconfig/ip6tables-config file changing:
This seemed to save the changes I made using the iptables commands through a reboot.
Put the IPtables configuration in the traditional file and it will be loaded after boot:
Last month I tried to configure iptables on a LXC VM container, but every time after reboot the iptables configuration was not automatically loaded.
The only way for me to get it working was by running the following command:
yum -y install iptables-services; systemctl disable firewalld; systemctl mask firewalld; service iptables restart; service iptables save
And to add, you should also be able to do the same for ip6tables after running the systemctl mask firewalld command:
systemctl start ip6tables.service systemctl enable ip6tables.service
If you do so, and you're using fail2ban, you will need to enable the proper filters/actions:
Put the following lines in /etc/fail2ban/jail.d/sshd.local
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/secure maxretry = 5 bantime = 86400
Enable and start fail2ban:
systemctl enable fail2ban systemctl start fail2ban