If you, like me, can’t get used to the “new” firewalld in RHEL/CentOS 7 or you have some automation scripts that expect iptables, then I’ve got good news for you :) It’s rather easy to disable firewalld and go back to a “normal” iptables configuration as it used to be.
There are no special tricks involved and/or custom actions that would break your system or put it in a way that you have to be affraid of updating.
You can simply do the following:
Install the iptables-services package from the standard repositories:
sudo yum install iptables-services
Stop and disable firewalld:
sudo systemctl stop firewalld sudo systemctl disable firewalld
Start and enable iptables:
sudo systemctl start iptables sudo systemctl start ip6tables sudo systemctl enable iptables sudo systemctl enable ip6tables
Create your rules in /etc/sysconfig/iptables as you did before or use normal iptables commands and save your rules with iptables itself.
For example: to open TCP port 80:
sudo iptables -I INPUT 1 -m state --state NEW -m udp -p tcp --dport 80 -j ACCEPT sudo service iptables save
The result of rules can be viewed with:
[jensd@cen ~]$ sudo iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
That’s all it takes…
I am following all the steps and when I run
sudo iptables -I INPUT 1 -m state –state NEW -m udp -p tcp –dport 9010 -j ACCEPT
I am getting this error
iptables: Invalid argument. Run `dmesg’ for more information.
Pingback: Forward a TCP port to another IP or port using NAT with Iptables - Nguyễn Duy
Thank you for sharing your insights, awaiting other explanatory explanations
I dont think iptables-services is needed
Pingback: Forward a TCP port to another IP or port using NAT with Iptables | Jensd's I/O buffer