Switching firewalld to iptables on CentOS

Boost security with ease! Learn how to switch from firewalld to iptables on CentOS for stronger protection. Step-by-step guide inside.

Updated: 25 Jan, 24 by Oliver K 7 Min

List of content you will read in this article:

CentOS 7, like many other Linux distributions, employs the netfilter framework within the Linux kernel to manage packets traversing the network stack. This framework serves as the essential interface for scrutinizing and manipulating packets to establish a functional firewall system.

Typically, distributions rely on the iptables firewall, leveraging netfilter hooks to enforce firewall rules. However, CentOS 7 introduces an alternative service called firewalld, designed for the same purpose.

While firewalld is a robust firewall solution offering impressive features, some users may find it more convenient to stick with iptables if they are already familiar with its syntax and content with its performance. Interestingly, the firewalld utility utilizes the iptables command internally, yet the iptables service isn't pre-installed on CentOS 7. In this guide, we will illustrate how to install the iptables service on CentOS 7 and transition your firewall from firewalld to iptables.

Before transitioning to iptables as your server's firewall solution, it's advisable to save the current rules enforced by firewalld. As mentioned earlier, the firewalld daemon utilizes the iptables command to communicate with the netfilter kernel hooks. Consequently, you can capture the current rules using the iptables command.

To accomplish this, execute the following command to dump the existing set of rules to both standard output and a file named "firewalld_iptables_rules" in your home directory:

sudo iptables -S | tee ~/firewalld_iptables_rules

Repeat the process for ip6tables as well:

sudo ip6tables -S | tee ~/firewalld_ip6tables_rules

Depending on the active firewalld zones, enabled services, and rules passed from firewall-cmd directly to iptables, the dumped rule set might be extensive.

The firewalld service implements its firewall policies using standard iptables rules, constructing a management framework through iptables chains. Most of the rules you observe will be used to create these management chains and direct traffic flow within these structures.

When migrating to the iptables service, the rules you transfer won't require recreating the management framework relied upon by firewalld. Consequently, the rule set you implement will likely be simpler. By saving the entire set, we aim to preserve as much raw data as possible.

For a concise overview of the essential lines needed to recreate the policy, execute a command like this:

grep 'ACCEPT\|DROP\|QUEUE\|RETURN\|REJECT\|LOG' ~/firewalld_iptables_rules

This command will primarily display rules contributing to the final decision, omitting those that merely jump to user-created chains.

To initiate the transition for your server, you must obtain and install the iptables-service package from the CentOS repositories.

Execute the following command to download and install the service files:

sudo yum install iptables-services

This command will fetch and install the systemd scripts responsible for managing the iptables service. Additionally, it will generate default iptables and ip6tables configuration files, saving them to the /etc/sysconfig directory.

Now, it's time to establish your iptables firewall rules by modifying the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files. These files contain the rules that will be read and applied when initiating the iptables service.

The approach you take in constructing your firewall rules depends on whether the system-config-firewall process is installed and utilized to manage these files. To check, inspect the top of the /etc/sysconfig/iptables file:

sudo head -2 /etc/sysconfig/iptables

If the output resembles the following, you are free to manually edit the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files to define the policies for your iptables firewall:

# sample configuration for iptables service

# you can edit this manually or use system-config-firewall

Open and edit the files with sudo privileges to incorporate your rules:

sudo nano /etc/sysconfig/iptables

sudo nano /etc/sysconfig/ip6tables

Once your rules are set, test your IPv4 and IPv6 rules using the following commands:

sudo sh -c 'iptables-restore -t < /etc/sysconfig/iptables'

sudo sh -c 'ip6tables-restore -t < /etc/sysconfig/ip6tables'

However, if the output from examining the /etc/sysconfig/iptables file indicates the following:

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

It means that the system-config-firewall management tool is installed and actively managing this file. Any manual changes will be overwritten by the tool. In such cases, make adjustments to your firewall using one of the associated tools. For the text UI, use the following command:

sudo system-config-firewall-tui

For those with the graphical UI installed, launch it with:

sudo system-config-firewall

Now, it's time to disable the existing firewalld firewall and enable our iptables services. Utilizing the && construct, we'll ensure that the new firewall services start promptly once the firewalld service successfully shuts down:

sudo systemctl stop firewalld && sudo systemctl start iptables && sudo systemctl start ip6tables

Verify that firewalld is no longer running by executing:

sudo firewall-cmd --state

Confirm that the rules you configured in the /etc/sysconfig directory have been loaded and applied by entering:

sudo iptables -S

sudo ip6tables -S

At this stage, the iptables and ip6tables services are active for the current session. However, keep in mind that currently, the firewalld service is still set to automatically start upon server reboot.

This is an opportune time to test your firewall policies to ensure they grant the necessary level of access. If any issues arise, you have the flexibility to restart the server and revert to your previous firewall settings.

Once you've confirmed the effectiveness of your firewall rules and ensured that your policy is correctly enforced, proceed to disable the firewalld service with the following command:

sudo systemctl disable firewalld

This action prevents the service from automatically starting at boot. To further secure against inadvertent manual starts, you can take an additional step by masking the service, preventing manual initiation as well:

sudo systemctl mask firewalld

Now, you can enable your iptables and ip6tables services, ensuring they start automatically upon boot:

sudo systemctl enable iptables

sudo systemctl enable ip6tables

With these steps, your firewall transition should be complete.

Deploying a firewall stands as a crucial measure in safeguarding server security. Although firewalld proves to be an effective firewall solution, there are instances where opting for the most familiar tool or maintaining consistency across diverse infrastructures becomes the more pragmatic choice.

Oliver K

Oliver K

I’m Oliver k. I have MS degree in Computer Engineering. For nearly 5 years that I have been working on web programing and also in last 2 years I have worked on windows and Linux VPS. This is my honor to share my experiences with a new community.