Page 1 of 1

CentOS 7 iptables replaced with firewalld

PostPosted: Tue Jul 22, 2014 1:44 am
by Box293
This should help anyone else out who has this problem.

I installed Nagios Core 4.0.7 on CentOS 7 (basic / minimum install).
After Core installs I needed to open the firewall ports to allow port 80 inbound.

Before CentOS 7 I did this:
Code: Select all
iptables -I INPUT -p tcp --destination-port 80 -j ACCEPT
/sbin/service iptables save

The first command worked but the second command reported this:
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

I found on CentOS 7 that iptables has been replaced with firewalld.

I needed to do this instead:
Code: Select all
firewall-cmd --zone=public --add-port=http/tcp
firewall-cmd --zone=public --add-port=http/tcp --permanent

You need to do both commands because the first one is for the running environment and the second one makes it permanent when the server reboots.

Re: CentOS 7 iptables replaced with firewalld

PostPosted: Tue Jul 22, 2014 3:09 am
by millisa
I appreciate this post; absorbing firewalld along with the new systemctl causes me pain.

On my first CentOS7 install I tried to do my configs using the new methods but I punted on using firewalld over iptables (this was mostly due to custom fail2ban scripts that I haven't converted to use firewall-cmd).

An alternate approach that puts iptables back on CentOS7 (don't do it! learn the new system and embrace it! I still don't know that I buy into firewalld managing all of it for me to be a good thing; supposedly it's 'cleaner')
In any case, here is the 'wrong' way to fix centos7 (but I'm going to keep doing it anyways until other tools catch up):

Install iptables:
Code: Select all
yum install -y iptables-services

Gimme my iptables back:
Code: Select all
systemctl mask firewalld
systemctl enable iptables
(and if you need ip6tables, add an extra enable line for it)

Stop firewalld, start iptables
Code: Select all
systemctl stop firewalld
systemctl start iptables
(and start ip6tables if you need it)

Do your iptables modification just like before and save with
Code: Select all

Then, go read through the fedora wiki on FirewallD and figure out how to make whatever it is making you need iptables work the 'firewalld way'. (Warning: It is painful to read in places... This included also to unload the firewall . . . and This model makes it more easy to add or remove are cringeworthy.)

Re: CentOS 7 iptables replaced with firewalld

PostPosted: Tue Jul 22, 2014 9:09 pm
by Box293
Nice info. I thought about going back to iptables but then I always like a challenge so I pushed forward with firewalld :geek: