Note: This guide was tested on CentOS 7.5
In newer versions of CentOS and RHEL (version 7 and later), firewalld has replaced iptables as the default system firewall. However, iptables can still be used if you prefer it, or are already familiar with its configuration. This article will guide you on how to make use of the classic iptables setup instead of firewalld.
- The first step is to stop and mask the firewalld service:
systemctl stop firewalld systemctl mask firewalld
- Install iptables-services packages:
yum -y install iptables-services
- Check the status of iptables:
systemctl status iptables
Output:
[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
As shown above after the install, iptables will not be running and set to disabled so it will not start automatically on system boot.
- Configure iptables to start automatically on system boot:
systemctl enable iptables
- Start iptables, activating the firewall:
systemctl start iptables
- List all default configuration files associated with the iptables-services package:
rpm -qc iptables-services
Output:
[root@localhost ~]# rpm -qc iptables-services
/etc/sysconfig/ip6tables
/etc/sysconfig/iptables
- Verify the iptables configuration:
iptables -L -v -n
Expected output:
[root@localhost ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
191 19973 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 28 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
11 620 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
770 33942 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 559 packets, 60459 bytes)
pkts bytes target prot opt in out source destination
- You can now either add iptables rules from the CLI through iptables commands:
iptables
-I INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Or modify /etc/sysconfig/iptables file to look something like the following (very basic with port 22 for ssh is open):
[root@localhost ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT