I apologize if this has been asked and answered, but I googled and attempted things for several hours today without success.
I have a freshly installed CentOS 7 system that I'd like to disable the firewall and all iptables rules. Basically the equivalent of doing iptables -F
In a nutshell I've tried the following commands, in many different ways and orders, but when the system restarts it still seems to end up with some form of default rules. It even has a couple rules specifying 192.168.122.0 and I can't figure out where it's coming from.
#Disable Firewall systemctl stop firewalld systemctl disable firewalld rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service' rm '/etc/systemd/system/basic.target.wants/firewalld.service' systemctl disable firewalld systemctl stop firewalld iptables --flush iptables --list iptables -L yum install iptables-services service iptables save systemctl enable iptables service iptables save
Any help is appreciated.
Thanks James
On Mar 22, 2017, at 7:56 PM, James Pifer jep@obrien-pifer.com wrote:
In a nutshell I've tried the following commands, in many different ways and orders, but when the system restarts it still seems to end up with some form of default rules. It even has a couple rules specifying 192.168.122.0 and I can't figure out where it's coming from.
libvirtd? That network is the range it tends to use for routing private networking.
Also, you should look into using ‘systemctl mask unitname’ to make it not run, rather than just deleting a symlink.
-- Jonathan Billings billings@negate.org
Data Wed, 22 Mar 2017 19:56:03 -0400 James Pifer jep@obrien-pifer.com wrote:
I apologize if this has been asked and answered, but I googled and attempted things for several hours today without success.
Iptables isn't used by default, at least not directly. Easiest way to do dosable firewall is: # systemctl mask firewalld and restart the machine.
192.168.122. subnet is something for libvirt and KVM. I have it completely disabled on my locals and VPSes without any problem.
If You write specific rules in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, with -F -X -P INPUT DROP at the beginning, any trace of 192.168.122 will be gone. Here's mine ipv4 rules for my local machines: ------------------------ *filter -F -X -P INPUT DROP -A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# localhost -A INPUT -i lo -j ACCEPT
# ping -A INPUT -p icmp -j ACCEPT
# ssh -A INPUT -s 192.168.234.0/24 -p tcp --dport 22 -j ACCEPT
COMMIT ------------------------
On 3/24/2017 3:16 AM, Łukasz Posadowski wrote:
Data Wed, 22 Mar 2017 19:56:03 -0400 James Pifer jep@obrien-pifer.com wrote:
I apologize if this has been asked and answered, but I googled and attempted things for several hours today without success.
Iptables isn't used by default, at least not directly. Easiest way to do dosable firewall is: # systemctl mask firewalld and restart the machine.
192.168.122. subnet is something for libvirt and KVM. I have it completely disabled on my locals and VPSes without any problem.
If You write specific rules in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, with -F -X -P INPUT DROP at the beginning, any trace of 192.168.122 will be gone. Here's mine ipv4 rules for my local machines:
*filter -F -X -P INPUT DROP -A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# localhost -A INPUT -i lo -j ACCEPT
# ping -A INPUT -p icmp -j ACCEPT
# ssh -A INPUT -s 192.168.234.0/24 -p tcp --dport 22 -j ACCEPT
COMMIT
Thanks for the help.
Basically I was making it more complex than it needed to be. Disabling firewalld and removing the libvirt NIC did the job.
Thanks James