/etc/sysconfig/iptables Syntax

Home » CentOS » /etc/sysconfig/iptables Syntax
CentOS 12 Comments

The last two router/firewall servers I had used Slackware and Gentoo. I’m used to writing complete and explicit iptables rules; however, when I
set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable.

For example, I’m used to stating postrouting masquerade as:

/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE

But when I use the rule above, iptables.service fails upon start and exits.

Through a series of trial and error, I found a correct masquerade statement:

*nat
-A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE
COMMIT

This looks similar to output from iptables-save.

Another example:

/usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
[DOES NOT WORK]

*filter
-A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
COMMIT
[DOES WORK]

After using iptables for a long time, I can’t figure out where this syntax comes from. Can anyone point me in the right direction to understand the proper syntax necessary in /etc/sysconfig/iptables?

Thanks for your help.

12 thoughts on - /etc/sysconfig/iptables Syntax

  • By default CentOS 7 uses firewalld and not iptables – check what is enabled and running with
    >systemctl status firewalld.service or if you want to see all that is running on your server/PC
    >systemctl

    HTH

  • By default CentOS 7 uses firewalld and not iptables – check what is systemctl reports:

    systemctl status firewalld.service
    ● firewalld.service
    Loaded: masked (/dev/null)
    Active: inactive (dead)

    I disabled/removed firewalld and installed/enabled iptables.

  • בתאריך 23 במאי 2016 05:56,‏ “Mike” <1100100@gmail.com> כתב:
    You can configure ‘iptables’ from the command line as you normally would and then run

    iptables-save > /etc/sysconfig/iptables

    On CentOS<=6 the init.d script also included a 'save' command to do it for you, I'm not sure about the systemd unit file though. HTH, Barak

  • Hi Barak,

    If I’m understanding correctly, write out all rules in a bash terminal and run them, and then do /usr/sbin/iptables-save —

    ~#/usr/sbin/iptables rule;
    ~#/usr/sbin/iptables rule;
    ~#/usr/sbiniptables rule;
    ~#/usr/sbin/iptables rule;
    ~#/usr/sbin/iptables rule;
    ~#/usr/sbiniptables rule;
    ~#/usr/sbin/iptables rule;
    ~#/usr/sbin/iptables rule;
    ~#/usr/sbiniptables rule;
    ~#/usr/sbin/iptables rule;
    ~#/usr/sbin/iptables rule;
    ~#/usr/sbiniptables rule

    ~#/usr/sbin/iptables-save > /etc/sysconfig/iptables

  • Yep. And you can copy ‘/etc/sysconfig/iptables’ around if you have identical machines and no machine-specific rules…
    (Note, you can even port the rules from other Linux distros as iptables-save exists there as well)

  • Thank you, Mr. Korren. I’ll practice a few times and see if I can reproduce my original rule set.

    Best regards.

  • Are there any good tools for converting an iptables-save file to a Firewalld configuration?

  • The closest thing I could find to an iptables to firewalld conversion tool was Offline Configuation. The firewall-offline-cmd command was created to help setup firewall rules when Firewalld is not running.

    For instance, to open the tcp port 22, you would type in the
    /etc/sysconfig/iptables file:

    -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT

    Instead, you can now execute the following command:

    # firewall-offline-cmd –direct –add-rule ipv4 filter INPUT 0 -p tcp
    -m state –state NEW -m tcp –dport 22 -j ACCEPT

    / / / / / / / / / / / / / / / / / / / / / / / / / // /

    It’s not that convenient for a rule-set of 250 lines, but with a little creative copying/pasting between the iptables rules and the
    “firewall-offline-cmd –direct -add-rule ipv4 filter”
    and “firewall-offline-cmd –direct -add-rule ipv4 nat ” statements, I
    suppose a decent conversion can be completed.

    Of course, you’d still need to apply rules to the correct zones which I’m still trying to digest.

  • well, no. it’s a bit different animal..

    Eero

    2016-05-23 22:24 GMT+03:00 Kenneth Porter :

  • Using DIRECT bypasses all the zone and service stuff.

    Frankly if your going to DIRECT everything then you really are better off masking (and removing) firewalld and installing iptables-service and just using the old traditional way.