CentOS 7 iptables replaced with firewalld

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:

CentOS 7 iptables replaced with firewalld

Post by Box293 »

This should help anyone else out who has this problem.

I installed Nagios Core 4.0.7 on CentOS 7 (basic / minimum install).
After Core installs I needed to open the firewall ports to allow port 80 inbound.

Before CentOS 7 I did this:

Code: Select all

iptables -I INPUT -p tcp --destination-port 80 -j ACCEPT
/sbin/service iptables save
The first command worked but the second command reported this:
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
I found on CentOS 7 that iptables has been replaced with firewalld.

I needed to do this instead:

Code: Select all

firewall-cmd --zone=public --add-port=http/tcp
firewall-cmd --zone=public --add-port=http/tcp --permanent
You need to do both commands because the first one is for the running environment and the second one makes it permanent when the server reboots.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
millisa
Posts: 69
Joined: Thu Jan 16, 2014 11:13 pm
Location: Austin, TX
Contact:

Re: CentOS 7 iptables replaced with firewalld

Post by millisa »

I appreciate this post; absorbing firewalld along with the new systemctl causes me pain.

On my first CentOS7 install I tried to do my configs using the new methods but I punted on using firewalld over iptables (this was mostly due to custom fail2ban scripts that I haven't converted to use firewall-cmd).

An alternate approach that puts iptables back on CentOS7 (don't do it! learn the new system and embrace it! I still don't know that I buy into firewalld managing all of it for me to be a good thing; supposedly it's 'cleaner')
In any case, here is the 'wrong' way to fix centos7 (but I'm going to keep doing it anyways until other tools catch up):

Install iptables:

Code: Select all

yum install -y iptables-services
Gimme my iptables back:

Code: Select all

systemctl mask firewalld
systemctl enable iptables
(and if you need ip6tables, add an extra enable line for it)

Stop firewalld, start iptables

Code: Select all

systemctl stop firewalld
systemctl start iptables
(and start ip6tables if you need it)

Do your iptables modification just like before and save with

Code: Select all

iptables-save>/etc/sysconfig/iptables

Then, go read through the fedora wiki on FirewallD and figure out how to make whatever it is making you need iptables work the 'firewalld way'. (Warning: It is painful to read in places... This included also to unload the firewall . . . and This model makes it more easy to add or remove are cringeworthy.)
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:

Re: CentOS 7 iptables replaced with firewalld

Post by Box293 »

Nice info. I thought about going back to iptables but then I always like a challenge so I pushed forward with firewalld :geek:
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Locked