The last two router/firewall servers I had used Slackware and Gentoo. I'm used to writing complete and explicit iptables rules; however, when I set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable.
For example, I'm used to stating postrouting masquerade as:
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE
But when I use the rule above, iptables.service fails upon start and exits.
Through a series of trial and error, I found a correct masquerade statement:
*nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE COMMIT
This looks similar to output from iptables-save.
Another example:
/usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP [DOES NOT WORK]
*filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP COMMIT [DOES WORK]
After using iptables for a long time, I can't figure out where this syntax comes from. Can anyone point me in the right direction to understand the proper syntax necessary in /etc/sysconfig/iptables?
Thanks for your help.
On 23/05/16 14:55, Mike wrote:
The last two router/firewall servers I had used Slackware and Gentoo. I'm used to writing complete and explicit iptables rules; however, when I set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable.
For example, I'm used to stating postrouting masquerade as:
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE
But when I use the rule above, iptables.service fails upon start and exits.
Through a series of trial and error, I found a correct masquerade statement:
*nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE COMMIT
This looks similar to output from iptables-save.
Another example:
/usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP [DOES NOT WORK]
*filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP COMMIT [DOES WORK]
After using iptables for a long time, I can't figure out where this syntax comes from. Can anyone point me in the right direction to understand the proper syntax necessary in /etc/sysconfig/iptables?
By default CentOS 7 uses firewalld and not iptables - check what is enabled and running with
systemctl status firewalld.service
or if you want to see all that is running on your server/PC
systemctl
HTH
Thanks for your help. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Sun, May 22, 2016 at 11:02 PM, Rob Kampen rkampen@kampensonline.com wrote:
By default CentOS 7 uses firewalld and not iptables - check what is
enabled and running with
systemctl status firewalld.service
systemctl reports:
systemctl status firewalld.service ● firewalld.service Loaded: masked (/dev/null) Active: inactive (dead)
I disabled/removed firewalld and installed/enabled iptables.
You need to disable firewalld and install iptables, if you really want use old way:
https://www.certdepot.net/rhel7-disable-firewalld-use-iptables/
Firewalld is preferred way. You should learn it..
-- Eero
2016-05-23 5:55 GMT+03:00 Mike 1100100@gmail.com:
The last two router/firewall servers I had used Slackware and Gentoo. I'm used to writing complete and explicit iptables rules; however, when I set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable.
For example, I'm used to stating postrouting masquerade as:
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE
But when I use the rule above, iptables.service fails upon start and exits.
Through a series of trial and error, I found a correct masquerade statement:
*nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE COMMIT
This looks similar to output from iptables-save.
Another example:
/usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP [DOES NOT WORK]
*filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP COMMIT [DOES WORK]
After using iptables for a long time, I can't figure out where this syntax comes from. Can anyone point me in the right direction to understand the proper syntax necessary in /etc/sysconfig/iptables?
Thanks for your help. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
The closest thing I could find to an iptables to firewalld conversion tool was Offline Configuation. The firewall-offline-cmd command was created to help setup firewall rules when Firewalld is not running.
For instance, to open the tcp port 22, you would type in the /etc/sysconfig/iptables file:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Instead, you can now execute the following command:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
/ / / / / / / / / / / / / / / / / / / / / / / / / // /
It's not that convenient for a rule-set of 250 lines, but with a little creative copying/pasting between the iptables rules and the "firewall-offline-cmd --direct -add-rule ipv4 filter" and "firewall-offline-cmd --direct -add-rule ipv4 nat " statements, I suppose a decent conversion can be completed.
Of course, you'd still need to apply rules to the correct zones which I'm still trying to digest.
On Mon, May 23, 2016 at 3:24 PM, Kenneth Porter shiva@sewingwitch.com wrote:
On 5/22/2016 9:45 PM, Eero Volotinen wrote:
Firewalld is preferred way. You should learn it..
Are there any good tools for converting an iptables-save file to a Firewalld configuration?
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 23 May 2016 21:03, "Mike" 1100100@gmail.com wrote:
The closest thing I could find to an iptables to firewalld conversion tool was Offline Configuation. The firewall-offline-cmd command was created to help setup firewall rules when Firewalld is not running.
For instance, to open the tcp port 22, you would type in the /etc/sysconfig/iptables file:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Instead, you can now execute the following command:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
/ / / / / / / / / / / / / / / / / / / / / / / / / // /
It's not that convenient for a rule-set of 250 lines, but with a little creative copying/pasting between the iptables rules and the "firewall-offline-cmd --direct -add-rule ipv4 filter" and "firewall-offline-cmd --direct -add-rule ipv4 nat " statements, I suppose a decent conversion can be completed.
Of course, you'd still need to apply rules to the correct zones which I'm still trying to digest.
Using DIRECT bypasses all the zone and service stuff.
Frankly if your going to DIRECT everything then you really are better off masking (and removing) firewalld and installing iptables-service and just using the old traditional way.
On Mon, May 23, 2016 at 4:10 PM, James Hogarth james.hogarth@gmail.com wrote:
Using DIRECT bypasses all the zone and service stuff.
Frankly if your going to DIRECT everything then you really are better off masking (and removing) firewalld and installing iptables-service and just using the old traditional way.
James, thanks for some much-needed clue. :-)
well, no. it's a bit different animal..
Eero
2016-05-23 22:24 GMT+03:00 Kenneth Porter shiva@sewingwitch.com:
On 5/22/2016 9:45 PM, Eero Volotinen wrote:
Firewalld is preferred way. You should learn it..
Are there any good tools for converting an iptables-save file to a Firewalld configuration?
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Eero Volotinen -
James Hogarth -
Kenneth Porter -
Mike -
Rob Kampen