/etc/sysconfig/iptables Syntax
The last two router/firewall servers I had used Slackware and Gentoo. I’m used to writing complete and explicit iptables rules; however, when I
set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable.
For example, I’m used to stating postrouting masquerade as:
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE
But when I use the rule above, iptables.service fails upon start and exits.
Through a series of trial and error, I found a correct masquerade statement:
*nat
-A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE
COMMIT
This looks similar to output from iptables-save.
Another example:
/usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
[DOES NOT WORK]
*filter
-A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
COMMIT
[DOES WORK]
After using iptables for a long time, I can’t figure out where this syntax comes from. Can anyone point me in the right direction to understand the proper syntax necessary in /etc/sysconfig/iptables?
Thanks for your help.
12 thoughts on - /etc/sysconfig/iptables Syntax
By default CentOS 7 uses firewalld and not iptables – check what is enabled and running with
>systemctl status firewalld.service or if you want to see all that is running on your server/PC
>systemctl
HTH
By default CentOS 7 uses firewalld and not iptables – check what is systemctl reports:
systemctl status firewalld.service
● firewalld.service
Loaded: masked (/dev/null)
Active: inactive (dead)
I disabled/removed firewalld and installed/enabled iptables.
בתאריך 23 במאי 2016 05:56, “Mike” <1100100@gmail.com> כתב:
You can configure ‘iptables’ from the command line as you normally would and then run
iptables-save > /etc/sysconfig/iptables
On CentOS<=6 the init.d script also included a 'save' command to do it for you, I'm not sure about the systemd unit file though. HTH, Barak
Hi Barak,
If I’m understanding correctly, write out all rules in a bash terminal and run them, and then do /usr/sbin/iptables-save —
~#/usr/sbin/iptables rule;
~#/usr/sbin/iptables rule;
~#/usr/sbiniptables rule;
~#/usr/sbin/iptables rule;
~#/usr/sbin/iptables rule;
~#/usr/sbiniptables rule;
~#/usr/sbin/iptables rule;
~#/usr/sbin/iptables rule;
~#/usr/sbiniptables rule;
~#/usr/sbin/iptables rule;
~#/usr/sbin/iptables rule;
~#/usr/sbiniptables rule
~#/usr/sbin/iptables-save > /etc/sysconfig/iptables
You need to disable firewalld and install iptables, if you really want use old way:
https://www.certdepot.net/rhel7-disable-firewalld-use-iptables/
Firewalld is preferred way. You should learn it..
Yep. And you can copy ‘/etc/sysconfig/iptables’ around if you have identical machines and no machine-specific rules…
(Note, you can even port the rules from other Linux distros as iptables-save exists there as well)
Thank you, Mr. Korren. I’ll practice a few times and see if I can reproduce my original rule set.
Best regards.
Are there any good tools for converting an iptables-save file to a Firewalld configuration?
The closest thing I could find to an iptables to firewalld conversion tool was Offline Configuation. The firewall-offline-cmd command was created to help setup firewall rules when Firewalld is not running.
For instance, to open the tcp port 22, you would type in the
/etc/sysconfig/iptables file:
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
Instead, you can now execute the following command:
# firewall-offline-cmd –direct –add-rule ipv4 filter INPUT 0 -p tcp
-m state –state NEW -m tcp –dport 22 -j ACCEPT
/ / / / / / / / / / / / / / / / / / / / / / / / / // /
It’s not that convenient for a rule-set of 250 lines, but with a little creative copying/pasting between the iptables rules and the
“firewall-offline-cmd –direct -add-rule ipv4 filter”
and “firewall-offline-cmd –direct -add-rule ipv4 nat ” statements, I
suppose a decent conversion can be completed.
Of course, you’d still need to apply rules to the correct zones which I’m still trying to digest.
well, no. it’s a bit different animal..
Eero
2016-05-23 22:24 GMT+03:00 Kenneth Porter:
Using DIRECT bypasses all the zone and service stuff.
Frankly if your going to DIRECT everything then you really are better off masking (and removing) firewalld and installing iptables-service and just using the old traditional way.
James, thanks for some much-needed clue. :-)