Note: This guide was tested on CentOS 7.5

In newer versions of CentOS and RHEL (version 7 and later), firewalld has replaced iptables as the default system firewall. However, iptables can still be used if you prefer it, or are already familiar with its configuration. This article will guide you on how to make use of the classic iptables setup instead of firewalld.

  • The first step is to stop and mask the firewalld service:
systemctl stop firewalld systemctl mask firewalld
  • Install iptables-services packages:
yum -y install iptables-services
  •  Check the status of iptables:
systemctl status iptables


[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead)

As shown above after the install, iptables will not be running and set to disabled so it will not start automatically on system boot.

  • Configure iptables to start automatically on system boot:
systemctl enable iptables
  • Start iptables, activating the firewall:
systemctl start iptables
  • List all default configuration files associated with the iptables-services package:
rpm -qc iptables-services


[root@localhost ~]# rpm -qc iptables-services
  • Verify the iptables configuration:
iptables -L -v -n

Expected output:

[root@localhost ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
  191 19973 ACCEPT     all  --  *      *              state RELATED,ESTABLISHED
    1    28 ACCEPT     icmp --  *      *             
    0     0 ACCEPT     all  --  lo     *             
   11   620 ACCEPT     tcp  --  *      *              state NEW tcp dpt:22
  770 33942 REJECT     all  --  *      *              reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *              reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 559 packets, 60459 bytes)
pkts bytes target     prot opt in     out     source               destination             
  • You can now either add iptables rules from the CLI through iptables commands:
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Or modify /etc/sysconfig/iptables file to look something like the following (very basic with port 22 for ssh is open):

[root@localhost ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited