[CentOS] Firewalld and iptables

Fri Dec 14 22:57:32 UTC 2018
Jon LaBadie <jcu at labadie.us>

On Fri, Dec 14, 2018 at 03:14:12PM -0700, Warren Young wrote:
> On Dec 14, 2018, at 2:30 PM, Jon LaBadie <jcu at labadie.us> wrote:
> > 
> > After a recent large update, firewalld's status contains
> > many lines of the form:
> > 
> >  WARNING: COMMAND_FAILED: '/usr/sbin/iptables…
> What’s the rest of the command?

Well, there are about 20 of them and several screen widths
long.  However they all end with one of two reasons:

  : No chain/target/match by that name.
  : Bad rule (does a matching rule exist in that chain?).

> > Checking iptables.service status shows it to be masked.
> That’s probably from package iptables-services, which isn’t installed by default on purpose. It’s the legacy service from before firewalld was made the default.  Use one or the other, not both.

After the update I got email from "ckservices" that firewalld was down.
I saw the above mentioned iptable errors and checked the iptables.service
to find it masked.  I shutdown firewalld, unmasked, enabled, and started
iptables.service and then firewalld.  Same errors.  So I shutdown iptables
service, masked it, and restarted firewalld.

> I strongly recommend that you use firewalld ...
Never planned to do otherwise.  Just was uncertain if iptables.service
had to run also.

Jon H. LaBadie                 jon at jgcomp.com
 11226 South Shore Rd.          (703) 787-0688 (H)
 Reston, VA  20190              (703) 935-6720 (C)