Page 1 of 1

CentOS 7 iptables replaced with firewalld

Posted: Tue Jul 22, 2014 1:44 am
by Box293
This should help anyone else out who has this problem.

I installed Nagios Core 4.0.7 on CentOS 7 (basic / minimum install).
After Core installs I needed to open the firewall ports to allow port 80 inbound.

Before CentOS 7 I did this:

Code: Select all

iptables -I INPUT -p tcp --destination-port 80 -j ACCEPT
/sbin/service iptables save
The first command worked but the second command reported this:
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
I found on CentOS 7 that iptables has been replaced with firewalld.

I needed to do this instead:

Code: Select all

firewall-cmd --zone=public --add-port=http/tcp
firewall-cmd --zone=public --add-port=http/tcp --permanent
You need to do both commands because the first one is for the running environment and the second one makes it permanent when the server reboots.

Re: CentOS 7 iptables replaced with firewalld

Posted: Tue Jul 22, 2014 3:09 am
by millisa
I appreciate this post; absorbing firewalld along with the new systemctl causes me pain.

On my first CentOS7 install I tried to do my configs using the new methods but I punted on using firewalld over iptables (this was mostly due to custom fail2ban scripts that I haven't converted to use firewall-cmd).

An alternate approach that puts iptables back on CentOS7 (don't do it! learn the new system and embrace it! I still don't know that I buy into firewalld managing all of it for me to be a good thing; supposedly it's 'cleaner')
In any case, here is the 'wrong' way to fix centos7 (but I'm going to keep doing it anyways until other tools catch up):

Install iptables:

Code: Select all

yum install -y iptables-services
Gimme my iptables back:

Code: Select all

systemctl mask firewalld
systemctl enable iptables
(and if you need ip6tables, add an extra enable line for it)

Stop firewalld, start iptables

Code: Select all

systemctl stop firewalld
systemctl start iptables
(and start ip6tables if you need it)

Do your iptables modification just like before and save with

Code: Select all

iptables-save>/etc/sysconfig/iptables

Then, go read through the fedora wiki on FirewallD and figure out how to make whatever it is making you need iptables work the 'firewalld way'. (Warning: It is painful to read in places... This included also to unload the firewall . . . and This model makes it more easy to add or remove are cringeworthy.)

Re: CentOS 7 iptables replaced with firewalld

Posted: Tue Jul 22, 2014 9:09 pm
by Box293
Nice info. I thought about going back to iptables but then I always like a challenge so I pushed forward with firewalld :geek: