Use iptables instead of firewalld in RHEL 7 or CentOS 7

If you, like me, can’t get used to the “new” firewalld in RHEL/CentOS 7 or you have some automation scripts that expect iptables, then I’ve got good news for you :) It’s rather easy to disable firewalld and go back to a “normal” iptables configuration as it used to be.

There are no special tricks involved and/or custom actions that would break your system or put it in a way that you have to be affraid of updating.

You can simply do the following:

Install the iptables-services package from the standard repositories:

sudo yum install iptables-services

Stop and disable  firewalld:

sudo systemctl stop firewalld
sudo systemctl disable firewalld

Start and enable iptables:

sudo systemctl start iptables
sudo systemctl start ip6tables
sudo systemctl enable iptables
sudo systemctl enable ip6tables

Create your rules in /etc/sysconfig/iptables as you did before or use normal iptables commands and save your rules with iptables itself.

For example: to open TCP port 80:

sudo iptables -I INPUT 1 -m state --state NEW -m udp -p tcp --dport 80 -j ACCEPT
sudo service iptables save

The result of rules can be viewed with:

[jensd@cen ~]$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

That’s all it takes…

4 thoughts on “Use iptables instead of firewalld in RHEL 7 or CentOS 7

  1. I am following all the steps and when I run

    sudo iptables -I INPUT 1 -m state –state NEW -m udp -p tcp –dport 9010 -j ACCEPT

    I am getting this error
    iptables: Invalid argument. Run `dmesg’ for more information.

  2. Pingback: Forward a TCP port to another IP or port using NAT with Iptables - Nguyễn Duy

Leave a Reply

Your email address will not be published. Required fields are marked *