By default, RHEL 7 uses the FirewallD service to provide network security. Firewalld may not be to everyone’s liking and you may prefer iptables. FirewallD must be stopped and disabled when using the iptables service. The posts outlines the steps to disable firewalld and enable iptables in CentOS/RHEL 7.
Stop and disable firewalld
1. To begin with, you should disable Firewalld and make sure it does not start at boot again.
# systemctl stop firewalld # systemctl disable firewalld
2. Masking the firewalld service creates a symlink from /etc/systemd/system/firewalld.service to /dev/null thus disabling the firewalld service.
# systemctl mask firewalld Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
Install and configure iptables
1. To enable iptables, first we have to install the “iptables-services” package.
# yum install iptables-services
2. Start and enable the iptables service to be enabled at boot automatically.
# systemctl start iptables # systemctl enable iptables
Check to see if any rules are left behind from firewalld. By default a fresh intall of iptables would have iptables rules as shown below.
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
Clearing leftover firewalld rules
1. If needed you can clear iptables rules left over from firewalld with the following commands.
# iptables -t nat -F # iptables -t mangle -F # iptables -F # iptables -X # service iptables save
2. Post running the above commands you would get an empty iptable rules as shown below.
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
CentOS / RHEL 7 : Never run the iptables service and FirewallD service at the same time!